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Abstract 


, We present a mathematical definition of a hardware description language (HDL) 
that admits a semantics-preserving translation to a subset of VHDL. Our HDL 
includes the basic VHDL propagation delay mechanisms and gate-level circuit de- 
scrip ions We also develop formal procedures for deriving and verifying concise 
e avioral specifications of combinational and sequential devices. The HDL and 
e specification procedures have been formally encoded in the computational logic 
of Boyer and Moore, which provides a LISP implementation as well as a facility 
for mechanical proof-checking. As an application, we design, specify, and verify a 

circuit that achieves asynchronous communication by means of the biphase mark 
protocol. 
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1 Introduction 


NASA Langley Research Center has conducted a research program in formal methods 
focusmg on the development of a practical verification methodology for fault-tolerant 
digital flight-control systems. Computational Logic, Inc. (CLI) is one of several organi- 
zations that have participated in this program. The first phase of the program addressed 
the application of formal methods to various key design problems. During this phase, 
CLI produced results in three areas: 

(1) The formal design and verification of a circuit that achieves Byzantine agreement 
among four synchronous processors [1]; 

(2) The mechanical verification of the Interactive Convergence clock synchronization 
algorithm [22]; 

(3) The formalization of the Biphase Mark protocol for asynchronous communica- 
tion [15]. 

The second phase of the program is concerned with exploring the integration of these 
results m the design of a verified reliable computing platform (RCP) [9, 10] for real-time 
control. This paper is a report on CLI’s effort during this phase. 


1.1 Hardware Modeling 

A prerequisite for the reaHzation of NASA’s goals is a hardware description language 
(HDL) that is both (a) amenable to formal verification and (b) suitable for representing 
asynchronous systems of communicating processors. Much of our effort has been devoted 
o e development of a language that meets these requirements. 

°" r Pr , eVi T 1 ™ a T r ? in hardware modeling and verification has been based on an 
HD L developed at CLI by Brock and Hunt [5], The utility of the Brock-Hunt HDL as a 
verification tool, as demonstrated in the verification of the FM9001 microprocessor [4] 
stems from the simplicity of its semantics. All circuits designed in this language are 
assume o e riven y an implicit global clock. Simulation of a circuit amounts to 
a computation of a sequence of states corresponding to clock cycles. Thus, no explicit 
representation of time or propagation delays is provided, so that the class of circuits 

^ Inv", be . S&t ' s{£iCton y. modeled is limited. In particular, the language is unsuitable 
lor any application involving asynchrony. 

war ?t m t merCial mmM 11 simulation languages provide for a broader range of hard- 
e aviors. L [11], in particular, has gained wide acceptance in the hardware 
design community as a validation tool. Since the limitations of simulation as a method 
of validation are well known, a formal verification system based on VHDL would have 

^_ T Unfortunatel y- Me most programming languages in common use, 
the semantics of VHDL are complicated and obscure. There have been various attempts 

[2 ’ 8> 191 21J> but none of these have provided - effect?ve 

We have undertaken, therefore, to identify a core subset of VHDL that is small 
enough to admit a clear and simple semantic definition, providing for correctness proofs 
compre ensive behavioral specifications, but extensive enough to provide realistic 
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gate-level descriptions of the circuits involved in our inteneded application. Thus, we 
have avoided complicated language constructs and focused on the VHDL models of time, 
signal behavior, propagation delay, and event-driven simulation. 

The definition of our language is presented in Section 2. Its syntax, based on the 
S- expressions of LISP (subsection 2.1), is more abstract and amenable to direct formal 
analysis than the standard VHDL syntax [11]. The correspondence between the two 
is straightforward— a simple translator from our language to VHDL is described else- 
where [12]. Here, we concentrate on a mathematical treatment of the abstract language. 
This begins in Subsection 2.2, where we present the notions of time and waveform , on 
which the semantics of the language are based. We also define two waveform transforma- 
tions that embody the main propagation delay modes of VHDL, transport and inertial. 
and derive their fundamental properties. 

In Subsection 2.3, we describe the form and execution of behavioral modules , which 
are used to model gates and also to specify abstractly the behavior of circuits. Subsec- 
tion 2.4 discusses structural modules , which provide hierarchical descriptions of circuits 
in terms of connections among their components. For the purpose of illustration, we 
exhibit the actual VHDL code generated by the translator for modules of both types. 

The semantics of the language are given by an interpreter function, sim, which 
produces a list of waveforms that represent the output generated by a module in response 
to a given list of input waveforms. The definition of sim is presented in Subsection 2.5, 
along with a number of basic results pertaining to its behavior. 

1.2 Behavioral Specifications 

During the course of the design process, a typical hardware device is modeled at various 
levels of abstraction. An initial abstract model, derived from a given behavioral spec- 
ification, is gradually refined to produce a concrete model, such as a network of gates, 
which is more amenable to implementation. A design is validated by demonstrating the 
equivalence of these representations. 

This is most commonly effected through simulation. In VHDL, a circuit component 
may be associated with various alternative architectures, which describe the component 
at different levels of abstraction. The equivalence of architectures may be confirmed 
through comparative simulations. Once a sufficiently low-level VHDL architecture has 
been derived and validated in this manner, it may be implemented directly. 

We propose to replace simulation with formal verification. In our VHDL subset, 
circuit components are represented concretely at the gate level. In Section 3, we shall 
describe a methodology for deriving abstract behavioral specifications and proving that 
they are satisfied by these gate-level models. 

In Subsection 3.1, we consider the relatively simple class of combinational circuits, 
i.e., circuits that are free of cyclic paths. Each output of such a circuit is naturally 
associated with a certain Boolean function of the inputs. This association is commonly 
stated as follows: the value of an output at any time may be computed by applying the 
associated function to the current input values. Obviously, this description is valid only 
with respect to hardware models that ignore propagation delay. We shall derive a more 
accurate specification of combinational circuits and verify its validity in the context of 
our model. 
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The analysis of sequential circuits is considerably more complicated. While the ab- 
stract sequential machine model is well understood, its precise relationship with the 
actual behavior of the hardware that it is intended to describe is not. The sequential 
machine characterization is traditionally based on the extravagant assumption that sig- 
n values may change only at discrete points occurring at regular time intervals. This 
allows the behavior of a signal to be represented abstractly as a sequence of values The 
value of an output over a given interval is then expressed as a function of the sequence 

L P ?i' nPU Tv, Va ^ UeS ' ° f C0UrSe ’ the underlyin S model a S ain must disregard propaga- 
on delay. This approximation seems questionable, since the functionality of the basic 
state-holding elements generally depends critically on the presence of delays. 

In Subsection 3.2, we define a class of sequential circuits that mav be characterized 
as synchronous resettable nsing-edge-triggered devices. The basic memory element em- 
ployed in their construction is a resettable clocked d-flip-flop, composed of nand gates, 
described m Subsection 3.3. In Subsections 3.4-3.5, we, establish a procedure for deriv- 
ing high-level sequential machine descriptions for the class of circuits. In Subsection 3 6 
we prove a theorem that gives a precise statement of the relationship between the se- 
quential machine description of a circuit and its behavior as defined by our gate-level 
semantics. J 6 


1.3 Asynchronous Communication 


The utility of our approach with respect ot the NASA RCP depends on our ability to 
model asynchronous communication between individually synchronous processors. This 
problem is addressed in Section 4. We present a solution based on Moore’s model of 
asjnchrony [15]. After reviewing this model, we prove a theorem that demonstrates its 
applicability to a class of circuits defined in our language. Each of these circuits consists 
° P * Pair 0f ; eq " e u nUal circuits that a ^e driven by independent clocks of approximately 

Itw i r communicate with the aid of a latch that serves to smooth the 
sender s output, allowing it to be read by the receiver. 

In Section 5, we present a concrete definition of such a circuit that achieves asyn- 
chronous communication by means of the well known biphase mark protocol fl8|. The 
circuit design and the proof of its correctness are both based on [15], 

1.4 Nqthm Formalization 

The decision to base our language on S-expressions was motivated by our desire to 
support its analysis with the use of the Nqthm system of Boyer and Moore [3]. Nqthm 
is based on a constructive formal logic for which the intended model is the domain of 
o-expressions. Thus, there is a correspondence between the formulas of this logic and 
informal propositions about S-expressions. A user of the system may extend the logic by 
adding axioms that correspond to definitions of computable functions over this domain 

inrln£ Ch m Ca for u the Nqthm logic is P rovided by a LISP implementation that 

includes (1) an evaluator that computes values of functions defined in the logic, and (2) a 

theorem prover that may be used to derive logical consequences of the axioms. Since 
these theorems may be interpreted as propositions about functions of S-expressions, the 

Z:rri be U l ed ? ven u fy ( formalIy and mechanicaJ ly) tb e correctness of properties of 
these functions that have been derived by traditional (informal) mathematical methods. 
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All of the functions involved in the construction of our language, which we describe 
informally, meet the computability requirement for encoding as Nqthm definitions [3]. 
In fact, we have developed an Nqthm theory, presented in Appendix A, that formalizes 
these functions, including the module recognizers that form the syntax of the language 
and the interpreter that constitutes its semantics. Thus, we have a complete LISP 
implementation of our language, provided by the Nqthm evaluator. 

Moreover, all of our results, which are justified by informal (but mathematically 
rigorous) proofs, correspond in a natural way to Nqthm formulas. Thus, these proofs 
could, in principle, be checked mechanically by the Nqthm prover, thereby increasing 
our confidence in their validity at the the expense of some effort. At the time of this 
writing, mechanical proofs have been generated for most of the results of Section 2 (see 
Appendix B), as well as most of the results pertaining to specific circuits, including the 
components of the biphase mark implementation (Appendix C). 

Another benefit of the Nqthm formalization is that it provides a basis for a LISP 
implementation of the translator from our syntax to that of VHDL [12]. This potentially 
allows commercial VHDL synthesis tools to be used to implement our programs in 
silicon. As another application of more immediate interest, we have actually executed 
(the translations of) many of our programs using the Vantage VHDL simulator. For 
the simulations that we have tested, which include all of those described herein, the 
Vantage results were identical to those produced by our LISP-based interpreter. Since 
the official description of VHDL [11] is often ambiguous, this offers useful evidence that 
we have achieved our goal of semantically capturing the VHDL subset in which we are 
interested. 


2 Definition of the Language 

2.1 S-expressions 

Along with the set N of natural numbers, we posit a set B = {T,?} and an infinite set 
L, the elements of which are called Boolean and literal atoms, respectively. These three 
sets are assumed to be pairwise disjoint, and any element of their union is called an 
atom. We further assume that no atom is an ordered pair of atoms, and we recursively 
define an S-expression to be an atom or an ordered pair of S-expressions. S denotes the 
set of all S-expressions. Three basic operations on S are defined: If z = (x,y) € S x S, 
then car(z) = x, cdr(z) = y, and cons(x,y) = z. 

We also assume the existence of various distinct literal atoms, which we shall mention 
as we proceed. Among these is the atom INFINITY. We define a generalized number to 
be an atom that is either INFINITY or an element of N. Both the order relation and the 
addition operation on N are extended to the set of generalized numbers in the natural 
manner: for any n G N, n < INFINITY and n + INFINITY = INFINITY + n - INFINITY. 

A list is an S-expression that is either the literal atom NIL or an ordered pair z 6 S x S 
such that cdr(z) is a list. The list NIL is denoted alternatively as (), and a non-NIL list 
x is denoted as (at ... a„), where at = car(z) and (a 2 . . . a n ) denotes cdr(z). In this 
case, n is the length of z, and ai,...,a n are verniers. For 1 < i < ft, nth(i,z) is 
defined to be a { . A list is a bit vector if each of its members is a Boolean atom. 

A function / : B n — B is an n-ary Boolean function. The following Boolean func- 
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tions are called elementary, the 0-ary functions tO and fO , with values T and 7 re- 
spectively; the unary function notl; the binary functions and2, or2, nand2, nor2, xor2- 
the ternary functions and3, orS, nandS, nor3, xor3 ; the quaternary functions andl orJ 
nandj nor4, and xor4; and the quinary functions and5, or5, nand5 , nor5, and xor5. 
ine definitions of these functions are assumed to be understood. 

For the purpose of encoding Boolean function calls, we also assume that each ele- 
mentary Boolean function / is associated with a unique literal atom / that is denoted 

— jy _ ? in S ^ me ,!l aiI ! e ' “ Thus ’ the Unction notl is associated with the literal atom 
notl _ N0T1. We define a Boolean term over a list L of distinct literal atoms to be an 
S-expression that is either (a) a member of L, or (b) a list (f n ... r n ), where / is an 
n-ary elementary Boolean function and each r x is an Boolean term over L, 

Let L = (si ...,s k ) be a list of distinct literal atoms and let V = (v, . Vt ) be a 

bit vector. Then pairlist{L,V) is the list .4 = ((s lt V| ) ... (s k , v k )), which is called an 
association t hat .If r is a Boolean term over L, then we define era/(r,.4) to be (a) v, if 
r = 3i , or (b) f(eval(r u A), ..., eval(r n , .4)), if r = (f n ... r n ). 

2.2 Waveforms 

Let T be the quotient set determined by the equivalence relation on N U NxN that 
identifies each n e N with the pair (n,0) 6 N x N. An element of T is called a 
ime o jec : . us, any element of N or NxN denotes a unique time object, with the 
understanding that for n 6 N, n and (n,0) denote the same object. 

r ™ e ™ tlvatl °, n for this ordered-pair model of time is the need to provide records 
o he behavior of zero-delay devices. The components of a time object (n, k) may be 
interpreted as follows: n represents the number of time units, which we arbitrarily take 
to be picoseconds, that have elapsed since the start of a simulation; k represents the 
number of successive delta cycles that have occurred during the current time unit. 

lhus, T is ordered according to the lexicographic order on NxN, which is consistent 
with the natural ordering of N: for time objects h = (m,*,) and t 2 = (n 2 ,k 2 ), tl < t 2 

711 - ” 2 ^ eith er nj < n 2 or < k 2 . Thus the minimum element of T is the 
J™ 6 ° bj . eCt ‘hat is denoted alternatively as 0 or (0,0). For t u t 2 e T, the interval 
t X . t\ < t < £ 2 | will be denoted as [t\, 1 2 ). 

T^ An _ e ^ n< T ° r< ! ered pair e = f v,t )• where v = value(e) € B and t = time(e) 6 T. 
Let w -_((Un, <n) • • • (v 0 , t 0 )) be a list of events. If U > t,_j and v, for 0 < i < n 

and t 0 - 0, then w is a waveform. Note that according to this definition, successive 
events of a waveform must have different values; in VHDL terminology, all transactions 
are events. This restriction is consistent with the absence of implicit signals from our 
subset, since there is no way to detect transactions other than events (e g bv means of 
^ ACTIVE and TRANSACTION attributes), they may be ignmeT " 

We define w. T B by left) = where j is the greatest value of f satisfying 
ti <t, w(t) is called the value of w at t. Note that = u> 2 iff Wl = w 2 . If t = t, then 

we shall say that w has a new value at t. We also define the history of w relative to t to 
be the waveform hist(w, t) = (( Vj , tj) . . . (v 0 , t 0 )). 

A packet i is a list of waveforms, p = (w t ... w n ), n > 0. For any t 6 T, the value ofp 

IS e 1 vecto ^ P(L) — (d>i(t) . . . w„(t)); p has a new value at t if any member of p 
does. The history of p relative to t is the packet hist(p, t) = (hist^ ,t)... hist(w n , t)). 
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The behavior of each signal occurring in a circuit will be modeled as a waveform. 
During the course of a simulation, these waveforms are updated at various times. W hen 
a waveform is considered in the context of a current time to, each of its members e is 
viewed as a past, current, or future event, according to the relationship between time{e) 
and to- Past and present events are immutable, but future events are subject to deletion 
as they are superceded by newly scheduled events, as described below. 

Whenever a new event e is to be scheduled for a signal, time(e) is computed from 
the current time t 0 = (n,Jfc) and a delay d 6 N that is associated with the signal, by 
means of an addition operation from TxN to T, defined as follows: 


(n, &) © d = 


{ 


(n + d, 0) 
(n, k + 1) 


ifd^O 

if d = 0. 


Thus, regardless of delay, when a new event e = (v,t v ) is scheduled on a waveform 
w at time < 0 , we have t 0 < t v . The scheduling may be performed by either of two 
procedures, corresponding to the transport and inertial delay modes of VHDL. Note that 
the definitions of these procedures are somewhat different from the processes described 
in[ll], due to our restricted notion of waveform. 

Transport delay is the simpler of the two: each event ( v ', t') with t' > t v is deleted 
from w, and e is then consed to the result, unless that result already has value v at 
t v . The updated waveform w' is computed as the value of transport(w,v,t v ), which is 
defined recursively as follows: 


(1) Let car(w) = (v/,f/). If t f > t v , then w' = transport(cdr{w),v,t v )\ otherwise: 

(2) If vj =v, then w' - w\ otherwise: 

(3) w' = cons((v,t v ),w). 

Alternatively, w' may be described in terms of the function w : 



if t > t v 
if t < t v . 


Inertial delay is somewhat more complicated: every event (v',t') with t' > to is 
deleted from w, and if u>(f 0 ) ^ v, then a single event with value v is consed to the 
result. If w(t v ) = v , then the time of this event is the time of the last event of w 
that precedes t v ; otherwise, it is t v . Note that this procedure takes the current time 
to as an additional argument, and requires that to < t v . The recursive definition of 
w' = inertial(w,v,to,t v ) is given as follows: 


(1) Let w = hist(w,to). If w(to) = v , then w' — w] otherwise: 

(2) Let car(w) = (u/,t/). If t f > t v , then w' = inertial(cdr(w),v,t 0 ,t v )\ otherwise: 

(3) If Vf = v, then w' = cons((v,t/),w); otherwise: 

(4) w' = cons((v,t v ),w). 
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(a) 


(b) 
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Figure 1: Transport and Inertial Delay 


Transport mode is often used to model wires (along which pulses of arbitrarily small 
duration are propagated to the delayed signal), while gate outputs are generally modeled 
by inertial delay The difference between the two modes is illustrated in Fig. 1 The 
diagram labelled (a) represents the waveform 


w = (( T - 9) (* 8) (T, 6) (7, 5) (7, 3) (7, 1) (7, 0)). 


The results of updating w at time 1 by scheduling an event with time 7 and value T in 
both transport and inertial modes, 


transport (w, 7 , 7) = ((7, 6) (7, 5) (7, 3) (7, 1) (7, 0)) 
and 


inertial(w, 7, 1, , 7) = ((7, 6) (7, 1) (7, 0)), 
as shown in (b) and (c), respectively. 

The following is a useful summary of both propagation functions. Each 
be proved by a straightforward induction. Note that (b) is consistent with 
informal observation that past and present events are immutable: 


result may 
our earlier 


Lemma 2.1 Let w be a waveform, let t 0 , t u and t v be natural numbers with t 0 < L, 
and let w be either transport(w,v,t v ) or inertial(w,v, t 0 , t v ). Then 

(a) w'(t) = v for t> t v ; 

(b) w'(t) = w(t) for t < t 0 ; 

(c) if h < t 0 <t 2 < t v and w(t ) = u forte [<i , t 2 ), then w'(t) = u for t e {t x ,t 2 ). 

A similar induction shows that both procedures are “idempotent” in the following 
sense: 6 


Lemma 2 . 2 If w „ a waveform and t 0 , t v ,t' 0 , t' v are natural numbers with t 0 < t v , 
t o < *v> < t Q , and t v < t* v , then 

(a) transport(transport(w, v , t v ), v, t' v ) = transport^, v , t„); 

(b) inertial (inertial (w, v, t 0 , t v ), v,t'o,t' v ) = inertial(w, v, t 0 , t v ). 
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2.3 Behavioral Modules 

The simplest programs of our language are the behavioral modules, which contain ex- 
plicit information concerning propagation delay and the functional dependence of out- 
puts on inputs. 

A behavioral module is a list M = (BEHAV IOTP D), where 

(1) BEHAV is the identifying literal atom for modules of this type; 

(2) / = 7(M) = (ri ... r m ) is a list of literal atoms called the inputs of Af; 

(3) O = 0{M) = (si ... s„) is a list of literal atoms called the outputs of M; 

(4) T = T(M) (n ... r n ) is a list of elementary Boolean terms over I(M), called 

the output terms of M; 

(5) D = D{M) = (di ... d n ) is a list of natural numbers, the delays of M ; 

(g) p _ p(jw) = ( Pl ... Pn ) is a list of literal atoms called the propagation modes of 

M , each of which is either TRANSPORT or INERTIAL. 

The members of the list (n ... r m Si ... s n ) are required to be distinct and are called 
the signals of M. 

Note that each output is associated with a term, a mode, and a delay. If every term 
is either an atom or a list of atoms, (i.e., contains no nested function calls), then M is 

Gates are generally modeled as primitive modules with inertial delays. For example, 
we represent a simple 2-input nand gate as the primitive module nand2. 

(BEHAV (A B) (C) ((NAND2 A B)) (2000) (INERTIAL)) 

We may define a similar behavioral module, with n inputs and 1 output, corresponding 
to each elementary n-ary Boolean function, arbitrarily taking the delay to be 2000 in 
each case. In the sequel, we shall refer to these primitive modules without explicitly 

listing their definitions. . . . 

For the purpose of illustration, the following primitive module m is defined to have 

one output of each propagation mode: 

(BEHAV (A B) (C D) ((NAND2 A B) (N0T1 A)) (2000 5000) (INERTIAL TRANSPORT)) 

The VHDL code corresponding to a behavioral module consists of 

(a) an entity declaration, consisting of a port clause listing the input signals as ports 
of mode IN and the output signals as ports of mode OUT, all of type BIT; 

(b) an architecture body, consisting of a concurrent signal assignment statement cor- 
responding to each output signal. 

The code (generated by our translator) for the module m defined above is displayed in 
Figure 2(a). Note that our time units are interpreted by the translator as picoseconds, 
and hence the delays are expressed as 2 and 5 nanoseconds. Note also that there is no 
mention of inertial delay in the translation, since this is the VHDL default mode. 
Another example of a behavioral module is the 1-bit adder adderl. 
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ENTITY m IS 

PORT(a,b: IN BIT; c.d: OUT BIT) 
END m; 

ARCHITECTURE m OF m IS 
BECIN 

c <- a NAND b AFTER 2 NS; 
d <» TRANSPORT NOT a AFTER 5 NS; 
END m; 

(a) 


ENTITY adder2 IS 

PORT (a,b,c: IN BIT; l,h: OUT BIT) 
END adder2; 

ARCHITECTURE addar2 OF add«r2 IS 
COMPONENT nand 

PORT(a,b; IN BIT; l.h: OUT BIT); 
END COMPONENT; 

SIGNAL tl ,t2, t3,t4, t5,t6,t7: BIT; 
BEGIN 

II: nand PORT MAP (a,b,tl); 

12: nand PORT MAP (a,tl,t2); 

13: nand PORT MAP (b,tl,t3); 

14: nand PORT HAP Ct2.t3,t4); 

15: nand PORT MAP (c,t4,t5); 

16: nand PORT MAP (c,t5,t7); 

17: nand PORT MAP (t5,t4,t6); 

18: nand PORT MAP (t5,tl,h); 

19: nand PORT MAP (t7,t6,l); 

END adder2 ; 


(b) 


Figure 2: VHDL Code 


(BEHAV (A B C) (L H) 

( (X0R3 ABC) (0R2 (AND2 A (0R2 B C)) (AND2 B C))) 
(12000 10000) 

(INERTIAL INERTIAL)) 


The two outputs of this module represent the 2-bit sum of the three input bits. Since 
he higher-order “carry" output bit is not expressed as an elementary function of the 
inputs, this is not a primitive module. 

Let s = nth(j, 0{M)) be an output of a behavioral module M. Let r = nthlj T(M )) 
be the corresponding term. For any bit vector V of the same length as I(M), we define 
the ambmatumal value of j w.r.t. 7 as cv(s, V,M) = eval(r,pairlist(I(M), V)). 

We shall say that a list of waveforms is an input (resp., output ) packet for a module M 

' f th A Sam ! ngth “ /(M) (resp > °W)' The semantics of behavioral modules 
are defined by a function exec of four arguments: (1) a module M, (2) an input packet 

P,n for M, (3) an output packet p out = ( Wl ... Wn ) for M, and (4) a time object t 0 . 
The value of exec(M,p in ,p aul ,t 0 ) is the updated output packet p' = (w\ ... w') that 
results from “executing” M at t 0 . It is defined as follows: For i = 1 , . . . , „ let v "be the 
combinational value of nth(i, O(M)) w.r.t. p; n (< 0 ), and let t { = t 0 ®nth(i,b(M)). Then 
W ‘ 6lt ^ er trans P ort (wi,Vi,t i) or inertial(wi,Vi,to,ti), according to nth(i,P(M)). 

Our first observation concerning the behavior of exec is that its value depends only 
on the current values of the input: J 


Lemma 2.3 Let Pl and & be input packets and let p out be an output packet for a 
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behavioral module M. For any to € T, if Pi(to) — P2{to)> then exec(Af, pi,p 0 uti ^o) 
exec{M,p 2 ,Pout,k). 

Two other basic properties may be derived as consequences of Lemmas 2.1(b) and 2.2: 

Lemma 2.4 Let p in and p out be an input packet and an output packet for a behavioral 
module M. For any to € T, /iist(exec(A/, pj n ,p ou t,to)i^o) = hist(p OU f>to )• 

Lemma 2.5 Let p in and p out be an input packet and an output packet for a behavioral 
module M and let to and t\ be time objects. If to < fi and pin(to) = Pm(ti)* then 
exec(M,pm.exec(M,p m ,pout,^o)>*i) = exec(M,pi n ,Pout, to)- 


2.4 Structural Modules 

Our language also includes modules that represent hierarchically constructed circuits. 
These structures contain information concerning interconnections among the modules 
of which they are composed. 

A structural module is a list M = (STRUCT I O S LI LO), where 

(1) STRUCT is the identifying literal atom for modules of this type; 

(2) / = I(M) = (ri ... r m ) is a list of literal atoms called the (global) inputs of M : 

(3) O = O(M) = (si ... s„) is a list of literal atoms called the (global) outputs of M\ 

(4) 5 = S(M) = (pi • ■ • Pk) is a list of (structural or behavioral) modules, called the 
submodules of M : 

(5) LI = LI(M) = (Ai . • • A fc ), where for; = A, = (a;i . . . a jmj ) is a list 

of literal atoms called the local inputs of A/, and mj is the length of /(p;), 

(6) LO = {Bi ... B h ), where for j = 1, . . . , k, Bj = (6>i . . . b jn .) is a list of literal 
atoms called the j t/l local outputs of M, and 7i; is the length of 0(p;). 

The members of the list (r\ ... r m &n • • ■ &in, ■ bki ■■ ■ bkn k ). consisting of the global 
inputs and all local outputs, are required to be distinct and are called the signals of M. 
There is no such constraint on the global outputs or local inputs, but each local input 
must be a signal of M, and each global output must be a local output. 

Note that the local inputs and outputs of M correspond to its submodules. Thus, 
intuitively, the submodules of a structure generate signals that are distinct from each 
other and from the structure’s inputs. Each signal may be connected to arbitrarily many 
submodule inputs. A signal other than a global input may serve as any number of global 
outputs, but global inputs and outputs are distinct. 

One additional constraint must be imposed on structural modules: in order to ensure 
that any simulation (as defined in the next section) of a module terminates, our struc- 
tures are required to be free of zero-delay cyclic paths. Several preliminary definitions 
will be needed in order to make this notion precise. 

We shall define a computable function that measures the (possibly infinite) maximum 
length of any path of signals within a structure along which the total delay is 0. The 
definition will be based on an auxiliary function, 6(M,s,E,L), the arguments of which 
are to be understood as follows: 
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(1) M may be either the top-level structure or one of its components at any level of 
the hierarchy; 

(2) s is a signal of M; 

(3) E = (e i ... e„) is a list of generalized numbers corresponding to 0(M ). For each 

18 intended to represent the maximum length of any path that starts at the 
i output and leads out of M. Such a list is called an environment for M; 

(4) I is a list of signals of AT, each of which is known to lie on some infinite path. 

Under these assumptions, we may think of <5 = S(M,s,E,L ) as the maximum length of 
a path starting at s. It is computed recursively as follows: 


(1) If a is a member of L, then 6 = INFINITY. Otherwise: 

(2) Let A, = max{e, : a = a,}, where O(M) = (* ... s n ). (The maximum of the 
null set is taken to be 0.) 

(3) Suppose M is behavioral. Let D(M) = (d l ... d n ). If a is an input of M and some 
di > 0, then let A a = 1 + max {a : d, = 0}; otherwise, A 2 = 0. 

(4) Suppose M is structural with S(M) = ( Ml . . . p k ). For 1 < i < k, let nth(i , LI(M)) 

. /p 1 nth (i,LO{M)) - (& tl ... j^.) = ( ail a . ) f and 

/A 71 be A he environment (f.i f.n.) for where for 1 < k < n„ e lfc = 
S(M,b ik ,E cons(s,L)). Let <5 0 = S(m, a 0 , E u NIL) for i = 1 and j = 
I, . . .,mi. Let A 2 = max{6ij ■ a = a^}. 

(5) 6 = max(Ai, A 2 ). 


The function A is defined by by A (M,s,E) = <5(Af,a,£;,NIL). Next, we define the 

relative 6 -depth of a module M with respect to an environment E to be the number o 
computed as follows: p 


(1) Let Do be the maximum value of A (M,s,E) over all signals a of M. If M is 
behavioral, then p = D 0 . Otherwise: 

(2) Let M be structural with S(M) = (/t, .. . For 1 < i < Jfc, let nth(i,LO(M )) = 

/ A / ,7 r r^ nd let ■?' be tbe relative ^-depth of Pi with respect to the environment 
(A (M,b iu E) ... A (M,b ini ,E)). Then p = max(D 0 , D x , . . . , D k ). 

Finally, we define the S- depth of M to be its relative (5-depth with respect to the 
environment (0 . . . 0). This represents the length of the longest 0-delay path through 
M. If ,t is not INFINITY, we shall say that M is 6-acyclic. All structural modules in 
our language are required to have this property. 

Although we have gone to considerable effort to formalize the VHDL “delta delav : ’ 
mechanism, the examples in which we are interested exhibit only positive delays Our 

Z > e AiT e ?« the s , tructura ! m ° du j e a dder2, composed of nine nand gates and intended 
as a gate-level implementation” of the behavioral module adderl: 
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(STRUCT (A B C) (L H) 

(nand2 nand2 nand2 nand2 nand2 nand2 nand2 nand2 nand2) 

((A B) (A Tl) (B Tl) (T2 T3) (C T4) (T5 T4) (C T5) (TS Tl) (T7 T6)) 

((Tl) (T2) (T3) (T4) (T5) (T6) (T7) (H) (L))) 

The VHDL code corresponding to a structural module consists of 

(a) an entity declaration, consisting of a port clause listing the inputs as ports of mode 
IN and each output as a port, either of mode BUFFER, if it occurs as a local input, 
or of mode OUT, if it does not; 

(b) an architecture body, consisting of a component declaration corresponding to each 
module that occurs as a submodule, a signal declaration corresponding to each 
local output that it not a global output (and hence does not already occur as a 
port), and a component instantiation statement corresponding to each submodule. 

The code for adder2 is shown in Figure 2(b), and a circuit diagram appears in Fig- 
ure 3(b). Later, we shall compare the behaviors of adderl and adder2. 

Of course, a signal path may be cyclic, provided that some signal in the path is 
associated with a positive delay. This is an important feature of our language, as it 
allows the modeling of state-holding devices. Figure 3(a) shows a clocked resetable 
d-flip-flop, which is modeled by the structural module dff: 

(STRUCT (CLK RST D) (Q qN) 

(not 1 and 2 nand2 nand2 nand3 nand2 n.and.2 nand2) 

((RST) CRN D) (B2 Bl) (Ai CLK) (B1 CLK B2) (A2 DD) (B1 qN) (q A2)) 

((RN) (DD) (Al) (Bl) (A2) (B2) (q) (qN))) 

In addition to five 2-input nand gates, the submodules of dff include an inverter notl, 
an a 2-input and gate and2, and a 3-input nand gate nand3, the definitions of which are 
assumed to be understood. 

We shall define the semantics of structural modules by means of a function step, based 
on the exec function of Section 4. Note that the notions of input and output packets 
may be naturally applied to any module. For a structural module i W, however, instead 
of a simple output packet, the third argument of step must be an object that consists of 
a waveform corresponding to each signal generated by each component of M. Thus, for 
any module M , we define a bundle for M to be a list B such that (a) if M is behavioral, 
then B is an output packet for M; (b) if M is a structure with S(M) = (Mi ■ • • Mfc)» 
then B - (fix ... ftt), where ft is a bundle for i = 1, . . • , k. 

Let B be a bundle for a module M and let s be a signal of Af that is not an input of 
M. The waveform for s determined by B is the waveform w that is computed as follows: 
(a) if M is behavioral and s = nth(j,0(M)) y then w = nth{j,B)\ (b) if M is struc- 
tural and s = nth(j,nth(i,LO(M))), then w is the waveform for nth(j,0(nth(i,S{M))) 
determined by nth(i,B). 

The output packet for M determined by B , denoted as outp(M, B) y is defined as 
follows: (a) if M is behavioral, then mitp(M,B) = B ; (b) if M is structural with 
O(M) = (si ... s n ), then outp(M, B) = (u>i . . . w n ), where for 1 < j < n, wj is the 
waveform for s } determined by B. 
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Figure 3: (a) D-Flip-Flop 


(b) 1-Bit Adder 


Let M be a structural module with nth(i, LI(M)) = (a« ... a inj ). Let p be an 
input packet and let B be a bundle for M. The i th input packet determined by p and 
B, denoted as mp(i,M,p,B), is the input packet (tin ... w m ) for nth{i,S(M)), where 
f 1 m : *^. IS computed as follows: (a) if Sj is a global input nth(k,I(M)), then 
^ _ ntti[k, p)\ (b) if Sj is a local output, then Wj is the waveform for Sj determined by 

We may now define step. Let p and B be an input packet and a bundle, respectively, 
fo' an arbitrary module At, aud let I € T. Then step(M. p.B.t) It the bundle B'. defined 
Ltnr , 0" behavioral, then S' = e xec(M.p. B.t) if p has a netv value at f, 
u « B ,i n ° t: (b) lf M is structura l with S(M) = (p, . . . p k ) and B = (A a ) 
then B = (/3j ... /?£), where /?' = step(p u inp(i, M, p, B), /3„ t). 

hus, the execution of a structure at time t amounts to the execution of each behav- 
loral component for which the value of some input signal changes at t. 

We have the following generalization of Lemma 2.3: 

Lemma 2.6 Let Pl and p? be input packets and let B be a bundle for a module M. Let 
o e T. If hist(p u t 0 ) - hist(p 2 ,t 0 ), then step(M y p u B,t 0 ) = step(M y p 2 } 5,* 0 ). 

a, history of a structural bundle (/3, ...0 k ) relative to a time t is recursively defined 
( , ) ( ist(0i y t) . . . hist(0kyt)). Lemma 2.4 may be generalized as follows: 

Lemma 2.7 Let p and B be an input packet and a bundle for a module M. For any 
t 0 6 T, hist(step(M,p,B,t 0 ),t 0 ) = hist(B,t 0 ). 

2.5 Simulation 

Let p and B be an input packet and a bundle for a module M. For any t e T, we define 
<n e *«(<,p, B, M) to be the minimum element of the set of all t' e T that occur as times 
of events in the waveforms of p and B and that satisfy t’ > t, if this set is nonempty; 
otherwise, t ncx i(t y p y B y M) is undefined. 


A simulation of M consists of repeated applications of step, which are performed by 
the function run . For to,tf E T, we define run(M, p, B, to, tf) to be the bundle B that 
is computed recursively as follows: Let tnext = t next (to, P, M). If t n txt defined and 
tnext < tf> then B' = run{M,p,step(M,p, B,t next ), tnext, tf)\ otherwise, B = B. 

It is not obvious that this is a valid recursive definition, i.e., that it is satisfied by a 
unique function. This may be established by exhibiting some measure of the arguments 
that decreases with each recursive call. More precisely, it suffices to define a function 
meas such that under the assumptions imposed on the arguments of run , 

meas(M , p, step(M,p ) B , t nex t), t ncx t, tf) -4 meas(M.p , B , to, tf) 

with respect to some well-founded order (In fact, this is the requirement for 

admissibility of Nqthm function definitions.) 

We may construct an appropriate measure based on a function 4>{M, p, B) that com- 
putes an upper bound on the delta component of any time object that occurs in any 
waveform during the course of a simulation. For each signal s of M or any module 
occurring in Af , this function computes the sum of (a) the length of the longest 0-delay 
path through M starting at s and (b) the largest delta component that occurs in the 
waveform of p or B that corresponds to s. <j>{M,p,B) is the maximum of these sums. 
(We omit the actual recursive definition of <p, which parallels that of 5-depth.) 

Now, if t 0 = (mi,k x ) and i/ = (m f ,k f ), then we define 

meas(M . p, B , to, tf) = (m/ — p, B) — ki). 

It may be shown that with respect to the lexicographic order on NxN, this function 
satisfies the property stated above. Note that its definition, and hence that of run, 
ultimately depends on the assumption that M is 5-acyclic. 

The function meas provides an induction scheme for deriving properties of run . 
The following, for example, is proved by induction as an immediate consequence of 
Lemma 2,7: 

Lemma 2.8 Let p and B be an input packet and a bundle for a module M. For any 
t 0 ,t/ € T, hist{run(M,p,B,to,tf),to) = hi$t(B,to). 

The next lemma, similarly proved by induction, provides for the decomposition of a 
simulation interval: 

Lemma 2.9 If p and B are an input packet and a bundle for a module M, and t 0 < 
t* < tf, then run(M,p, B ,to,tf) = run(M, p, ru7i(M, p, B,to,t ),t ,£/). 

Another property of run that is important in the analysis of circuit behavior is the 
following basic result, which describes the behavior of a structural module in terms of 
that of its components. It is interesting that its proof requires the two properties of 
step that are stated in Lemmas 2.6 and 2.7, namely that module execution is neither 
predictive (with respect to input) nor retroactive (with respect to output). 

Lemma 2.10 Let p and A = {a x ... a k ) be an input packet and a bundle for a struc^ 
tural module M with S(M) = (pi Pfc)- Let £o»^i £ T and B — (0x ... 0k) — 
run(M, Pl A , Then 0i = where b < = mp(i,M,p,£), i = 

1, . . . , fc. 
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Proof: Let A' = (a[ . 
Then by definition of step , 
by definition of run, B = 

0i = 


= step{M,p,A,t'), where t' = t next (t 0 ,p. A, M). 
a'i = step(p.i,ai,oti, t'), where o< = inp(i,M, p,A), and 
run(M,p, A' ,t' ,t x ). By induction, we may assume that 


It fo lows from Lemmas 2.7 and 2.8 that hist{A,t') = hist(B,t'). Consequently, 
hist(ai,t ) - hist(bi,t ). By Lemma 2.6, o' = step{m,bi,ai,t'). Thus, we have ft = 
run(p u bi, step(fii, ft, Qi , t'), t‘, ft). 

Let t = t next (t 0 ,bi,a,,p t ). Clearly, if t" is defined, then t" > t'. If t" = t' , then 




In the remaining case, 


run(p.i, b it step(fn, bi,ai,t"), t", t t ) 
Tun(m,bi,step{ni,bi,ai,t'),t',t 0 = fa. 


Tun(fii,bi,ai,to,t\) = run(pi,bi,ai,t' ,ti) 

= Tun(pi,bi,step(fu,bi,ai,t'),t',ti ) = fa. □ 

The definition of our top-level simulation function sim depends on run as well as 
a function imt, which generates an initial bundle from a module and an input packet 
First, for a given module .V/, we define the bundle B 0 (M): 

(1) If M isjiehavioral, then Bo(M) is the output packet (wq ... ui 0 ) for M, where 

(2) If M is structural and S(M) = fa . . . p k ), then B 0 (M) = (£ 0 (mi) . . . B 0 (fi k )). 

Thus, every waveform of B 0 (M) is the trivial w 0 , which has the constant value u) 0 (t) = 
y- . Prior to simulation, each of these waveforms is updated by executing every behavioral 
component of M . The result is the bundle init(M,p), defined as follows: 

(1) If M is behavioral, then init(M,p) = exec(M,p,B 0 (M), 0); 

(2) If M is structural with S{M) = (p. x ... p k ) t then 

imt(M, p) = (init(tn,inp(l,M,p,B 0 (M))) ... init(p k ,inp(k,M,p,B 0 (M)))). 

Now, given an input packet p for M and a time object t, we define 
sim(M,p,t) = run(M,p,init(M,p),0,t). 

We note the following restatements of Lemmas 2.9 and 2.10: 

Lemma 2.11 If p is an input packet for a module M, andt x <t 2 , then sim(M,p,U) = 

run(M,p,sim{M,p,t x ),t x ,t 2 ). F ' 


Lemma 2.12 Let p be an input packet for a structural module M with S(M) = <u, .. m.) 

h* * e , T J nd £ = (/?1 "• 0k) = sim iM,p,t). Then fa = sim(m,bi,t), where 
bi = mp(i, M,p, B), i = 1, . . . , k. 


15 



Figure 4: Simulation of m 


As a simple example, a simulation of the primitive module m is illustrated in Figure 4. 
The waveforms corresponding to the inputs A and B are 

w k = ((T, 60000) 21000) (T, 20000) {T, 10000) (T, 0)) 

and 

Tirg = ((T, 70000) (.F, 30000) (T, 0)), 

respectively. These are shown along with the waveforms 

w c = (((^, 72000) (T, 12000) {T, 0))) 

and 

w D » (CF, 65000) (T, 26000) (.F, 25000) (T, 15000) (.F s 0)) 

of the output szm(m, 80000) = (icq zt’o). 

This example exhibits a fundamental difference between transport and inertial delay: 
an input pulse of duration less than the delay, as occurs in w k> is not reflected in an 
inertial output. 

All of the simulation results that we report herein were produced by the Nqthm 
implementation of sim and have been matched with the output of the corresponding 
Vantage simulations of the VHDL translations of these modules. One further observation 
is warranted, however, in support of the claim that our language definition adheres to 
the VHDL standard [11]. There is an apparent discrepancy between the definition of 
sim and the standard: in our language, each output waveform of a behavioral module 
is updated whenever there is a change in any input value. In VHDL, on the other hand, 
in the absence of any instruction to the contrary (i.e., an explicit “sensitivity list”), a 
signal’s waveform is updated only in response to changes in those inputs on which the 
signal is functionally dependent. 

Consider, for example, the output D of the module m. The VHDL code corresponding 
to this signad (Figure 2) is executed only in response to events of the input waveform 
w k . However, according to our definitions of exec and step, its waveform is also updated 
whenever the value of B changes, e.g., at time 30000 in our example. 

Nonetheless, as illustrated in Figure 4, the behavior of this output signal is com- 
pletely independent from that of B, in accordance with the VHDL standard. In or- 
der to understand this, consider the waveform w that represents this signal before the 
execution of m at time 21000. The updated waveform after this execution is u>' = 
transport(w, T, 26000). Although w f is further updated when the value of B changes 
at 30000, the value of (NOT! A) remains T, and hence, by Lemma 2.2, the resulting 
waveform is transport^' ,T , 35000) = w r . 

The above argument is based on the simple observation that at the time of any 
change in input during a simulation of a behavioral module, the output packet is the 
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result of executing the module at that time. In fact, an interesting property of our 
simulator is that this holds true even when there is no input change, i.e, regardless of 
whether the execution actually occurs: 

Lemma 2.13 Let p be an input packet for a behavioral module M, let t e T and let 
B = sim(M,p,t). Then B = exec(M,p,B,t). 

Proof: It is easily shown by induction and Lemma 2.5, that if B 0 = exec{M, p, B 0 ,t 0 ) 
and I?! — run(M,p,Bo,to,ti), then B x = exec(M,p, B x , t\). The lemma is an instance 
of this result, with t 0 = t, B 0 = init(M,p), ti = t, and B x = B. □ 

3 Specification of Synchronous Circuits 

In order to simplify our analysis of circuit behavior, we shall assume in the sequel that 
delays associated with outputs of behavior modules are positive. (All of the examples in 
which we are interested conform to this assumption.) It follows that every time object- 
occurring in a waveform produced by the simulator may be represented as a simple 
natural number. Thus, we may replace T by N and by “+”. 


3.1 Combinational Modules 

Before undertaking a characterization of synchronous sequential circuits, we shall con- 
sider the relatively simple class of combinational circuits. Let p = (s x ... s p ) be a list 
of signals of a structural module M such that for each i, 1 < i < p, there exists j such 
that Sj_i is a member of nth(j,LI(M)) and s { is a member of nth(j,LO(M)). Then p 
is a path in M from s x to s p . If s x = s p , then p is a loop in M. An arbitrary module M 
is combinational if either (a) M is behavioral or (b) M is structural with no loops and 
all of its submodules are combinational. 

The notion of combinational value, which previously applied only to outputs of be- 
havioral modules, may be extended to combinational modules. Let s be any signal of a 
combinational module M and let V be a bit vector of the same length as /(A/). 

(1) If s = nth(j, /(A/)), then cv(s, V, M) = nth(j, K); 

(2) If M is structural and s = nth(j,nth(i,LO(M))), where 
p = nth(i,S(M)) and ( ai ... a m ) = nth(i, LI(M)), then 
cv(s,V,M) = cv(nth{j,0(p)),(cv(ax,V,M) ... cv(a m ,V,M)),p). 

We shall describe the behavior of combinational modules in terms of the function cv. 
Our analysis begins with the following characterization of behavioral modules: 

Lemma 3.1 Let s = nth(j,0(M)) be the j tK output of a behavioral module M, let 
d - nth(j, D(M)) be the corresponding delay, and let w = nth(j,sim(M,p,t f )). 

Assume that for all t e the combinational value of s ui.r.t. p(t) is v where 

h+d<t 2 and t x < t f . Then for all t € [ti + d, t 2 + d), w(t) = v. 
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Figure 5: Simulation of adder 1 and adder 2 


Proof: Let pi = sim(M,p,ti). Then according to Lemma 2.13. pi = exec(M,p,pi,ti). 
It follows from Lemma 2.1(a) that the value of nth(j,pi ) is v for all t >t 1 + d. 

We claim that if p' is any output packet for M such that nth(j,p') has value v 
throughout [ti + d, t 2 + d), then so does nth(j, run{M, p , p', t', */)), for any t' > 1 1 . Once 
this claim is proved, the lemma will follow from Lemma 2.11 upon substituting pi and 

t\ for p ' and t f . ff 

The claim is proved by induction. It suffices to show that if p has a new value at t' = 
tn' Xt (t',p,p',M), and p" = exec(M, p,p',t"), then nth{j,p") has value v throughout 
[t\ + d, ^2 + d). 

If t” > ^2 » then the desired result follows from Lemma 2.1(c). Thus, we may assume 
t" < t 2 and hence, the combinational value of s w.r.t. p(t ,f ) is v . In this case, nth{j,p ) 
has value v on [tx+d, t” +d) by Lemma 2.1(c), and on [£" + d, +d) by Lemma 2.1(a). □ 

Lemma 3.1 is illustrated by the simulation of adderl shown in Fig. 5, where we com- 
pare its behavior with that of the combinational module adder2. Note, for example, 
that the output L of adderl, with corresponding term (X0R3 A B C), has the combi- 
national value T throughout the interval from 40000 to 80000, and thus, since its delay 
is 12000, the actual value of the signal is T from 52000 to 92000. Note also that this 
simple behavior is not shared by the combinational module adder2. 

However, we shall derive a generalization of Lemma 3.1 that provides similar (al- 
though somewhat weaker) behavioral specifications of arbitrary combinational modules. 
First, we associate each signal s of a combinational module M with two parameters, 
called the minimum and maximum delays of s, which represent the range of total delays 
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along all paths connecting the inputs of M to s. These are defined as follows: 

(1) If s is a member of I(M ), then dmin(s , M) = dmax(s, M) = 0; 

(2) If M is behavioral and s = nth(j,0(M)), then 

dmin(s,M ) = dmax{s,M) = nth{j,D{M))\ 

(3) If M is structural and s = nth(j,nth(i,LO(M))), where 
H = nth(i, S(M)) and (m ... a m ) = nt/i(i, L/(M)), then 

dmin(s, M) = dmin(nth(j,0(p)), n) 

■ +min{dmin{a \ , M), . . . , dmin(a m , A/)), 

dmax(s, M) = dmax(nth(j,0(p)), p) 

+max(dmax(ai , M), . . . , d7nax(a m> M)). 


Lemma 3.2 Let s - nth{j,0{M)) be the j th output of a combinational module M, 
d = dmm(a, M), d' = dmax{s, M), and 


v: = nth(j, outp(M , sim(M , p, f 7 ))). 


Assume t/iat p is constant on iAe interval (ti,t 2 ), where h + d' < t 2 and U < t f 
v = cv{s,p{t x ), M). Then for all te[t 1 +d',t 2 + d), w(t) = v. 


Let 


Proof: For behavioral M , the conclusion follows from Lemma 3.1. For structural M 
we {.hall show that it holds more generally for any local output s of M and the waveform 
w for s determined by B = sim(M,p,t f ). The proof is by induction on the length of 
the longest path in M terminating at s. 

Suppose s is a local output, say s = nth(j,nth(i, LO(M))). Let p = nth(i,S(M)), 
0 = nth(i, B), ( ai ... a m ) = nth(i, LI(M)), and 


b = inp(i, M,p, B) = (wi ... w m ). 

Then w = nth(j,outp(p, 0)), and by Lemma 2.12, 0 = sim(fi,b,tj). 

For 1 < i < m, let d t = dmin(a (> M), d\ = dmax(a t , M), and v, = CT>(a,,p(M, M). 
If a e is a local output of A/, then by inductive hypothesis, w t (t) = v e for all t <= 
r 1 + a 0 t 2 + dt)\ otherwise, a t is an input, and the same is true trivially. Thus, 

6^-min(d dl) ^ ^ * € ^ + + where A = max(d\ ,...,d' m ) and 

By the definition of ci>, 


v = cv(nth(j , 0(p)), (v, . . . v m ), p) = cv(nth(j , O(p)), b(t x + A), p). 
Since p is combinational, w(t) = v for all 

t € [<i + A + dmax(nth(j, O(p)), p), t 2 + 6 + dmin(nth(j , 0(p)),p)) 

= [fi + d ' , t 2 + d). □ 
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As an example, consider the output signal L of the combinational module adder2. By 
tracing all paths from the inputs to L, we may compute cu(L, ( abc ), adder2) as a nested 
nand2 expression that may be shown to be tautologically equivalent to xor3(a,6,c). By 
a similar calculation, we have 

dmin( L, adder2) = 4000 and dmax( L, adder2) = 12000. 

Thus, according to Lemma 3.2, if t x + 12000 < t 2 , t x < f/, and the input packet p for 
adder2 has the constant value p(t) = (abc) for t € [h,t 2 ), then 

w = nt/i(l, outp( adder2, sjrn(adder2, p, t 2 ))) 

has the value w(t) •= xor3(a,6,c) for f € [h + 12000, t 2 + 4000). This result is illus- 
trated in Fig. 5: since the input packet has the constant value (T T T) on the inter- 
val [20000,40000), the value of the first output is xor3{T ,T ,T) = T on the interval 
[32000, 44000). 

3.2 Sequential Modules 

We shall describe a class of sequential circuits that may be characterized as synchronous 
resettable rising-edge-triggered devices. The flip-flop df f of Subsection 2.4 will be used 
as a primitive in the construction of these circuits. 

Let M be a structural module with I{M) — i T l r m ), where m > 2, S(M ) — 
(pi . . . pit), and for i — 1, . . . , k, nth(i , LI(M)) = (a»i • • - aim, ) and nth(i, LO(M)) — 
(6ii . . . b in ,). Let q € N. Then M is a sequential module with multiplicity q = mult(M) 
if either (a) q = 0 and M = dff, or (b) 0 < q < k and the following conditions hold: 

(1) For 1 < i < q, Mi is a sequential module; 

(2) For q < i < k, p, is a combinational module; 

(3) For 1 < i < k and 1 < j < m x , a xj = r x iff i < q and j = 1; 

(4) For 1 < i < k and 1 < j < m,, a^ = r 2 iff i < q and j = 2; 

(5) If (si ... s p ) is a path in M with s x = s p , then for some i and j, where 1 < * < P 

and 1 < j < q, Si is a member of nth(j, LO(M))\ 

(6) If (si ... Sp) is a path in M with si a global input and s p a global output of 
M, then for some i and j , where 1 < i < p and 1 < j < q, is a member of 
nth(j, LO(M)). 

Throughout the remainder of this section, we shall assume that M is a sequential module 
with /(M), S(Af), LI{M), and LO(M) as denoted above. Note that M must have at 
least two inputs, r x and r 2 , which we call the clock and reset, respectively; the other 
inputs are called data. According to (3) and (4), if M ^ dff, then the clock and reset 
of M are connected to the clock and reset, respectively, of each sequential submodule of 
M, and to no other submodule inputs. 

We define a path in M to be combinational if it contains no signal that is a local 
output of a sequential submodule. According to (5) of the definition, M contains no 
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combinational loop; according to (6), no combinational path connects an input to an 
output. 

\\e define a signal s of M to be native if there is no combinational path from any 
global input to 3 ; the signals Q and QN of df f are also defined to be native. Thus, all 
outputs of M are native signals. 

A natiye signal s of M is registered if either (a) M = dff and s is an output of M, 
or (b) M ^ dff and s is a local output b i} where i < q and nth(j,0{(j.i)) is a registered 
signal of m. This property will have special significance in connection with asynchronous 
communication. 

Two examples of sequential modules are diagrammed in Fig. 6. The enabled d-flip- 
flop, edff , is defined to be the following structure: 

(STRUCT 

(CLK RST EN D) 

(Q QN) 

(dff notl nand2 nand2 nand2) 

((CLK RST S4) (EN) (SI Q) (D EN) (S2 S3)) 

( (Q QN) (SI) (S2) (S3) (S4) ) ) 

Clearly, this module satisfies the definition, with muff (edff) = 1. 

The 3-bit counter count3 is a sequential module of multiplicity 3, defined as follows: 

(STRUCT 
(CLK RST EN) 

(QO Q1 Q2) 

(edff edff edff and2 xor2 xor2) 

((CLK RST EN QNO) (CLK RST EN S3) (CLK RST EN S2) 

(QO Ql) (SI Q2) (QO Ql)) 

((QO qNO) (Ql QN1) (Q2 qN2) (SI) (S2) (S3))) 

Note that all outputs of both of these modules are registered. 

3.3 Sequential Values 

Our description of the behavior of sequential modules will be based on a function that 
computes a sequence of values for each output corresponding to a given sequence of 
input values. The definition of this function involves the notion of state. An object E is 
a state of M if 

(1) M = dff and E e B, 

(2) mult(M) = 1 and E is a state of n \ , or 

(3) mult(M) = g > 1 and E = (<ti ... a q ), where for * = 1, ... , q, is a state of m. 

Thus, a state associates a Boolean value with each flip-flop. The reset state E 0 (M) is 
the state for which each of these values is T\ 

(1) Eo(dff) = T\ 

(2) If mult(M) = 1, then E 0 (M) = E 0 (^); 
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(3) If mult(M) = q > 1, then Eo(Af ) = (-o(ml) • * • £o(m<?))- 

A data vector for Af is a bit vector of length m — 2, the components of which 
correspond to the data inputs of Af. We shall define a function next(V, E, Af) that 
computes a state of Af from a data vector V and a state E. This definition requires two 
auxiliary functions. 

First, for a native signal s and a state S of M, we define the native value of 5 
determined by E, denoted as tu>(s, E, Af ), as follows: 

(1) nv( Q,E,dff) = E and m/(QN,E,dff) = notl(E); 

(2) If mult(M) = 1 and s — hj, then 

nu(s, E, Af) = nv(nth(j,0(iii)) y E,/xi); 

(3) If mult{M) = q > 1 and s = 6 t; , where i < q y then 

E, Af) = nu(nt/i(j, 0(^»)), nth(i , E), /i»); 

(4) If 7 mi/f(Af) = g > 1 and s = 6^, where i > q, then 
nu(5, E, Af ) = 

cu(nt/i(j, 0(/ii)),(nv(au,E, Af) ... ni'(ai m . , E, Af)), ^t)- 

Now, let V = (v 3 . . . v m ) and E be a data vector and a state of Af, respectively. We 
define the resultant value of a signal s determined by V and E, denoted as rv(s, V , E, Af ), 
as follows: 

(1) If s = Ti is a data input of Af , then rr(s, V, E, Af ) = v,; 

(2) If s is native to M, then rv(s y V , E, Af) = nv(s, E, Af ); 

(3) If mu/t(Af ) = q > 0 and s = b ijy where i > q y then 

rv(s, V y E, Af ) = 

cv(nth{j,0{pi)) y {rv{ai\,V y 'L,M) ... rv(a tmi , V y E, Af)),/z,). 

We may now define the function next. Let mult(M) = q and for i = 1, . . . ><7, let 
Li = (n/(a a , V, E,Af) ... rv(a< mi , V; E f Af )). 

Then next(V, E, Af ) = E\ where 

(1) If q = 0 (i.e,, Af = dff ), then E' = v 3 ; 

(2) If g = 1, then E' = next(Li y Z,tii); 

(3) If q > 1 and E = (<Ji ... then 

E' = ( next{L\ y <T\ y fji \ ) . . . 7iezt(L q ,<7,p/i 9 )). 
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Figure 6: (a) edff 


(b) count3 


Now ' let y = ( v l • • ; Kn), where for i = 3. . . . , m, V t = (v a . . . v in ) is a bit vector 
o length n. V may be viewed as a Boolean matrix, the rows of which correspond to the 
data inputs of M. Each column of this matrix, V, = (v 3j . . . v mj ), where j = 1, . . . , n, 
is a data vector for M. A sequence of n + 1 states is determined by V as follows: 


state(j , V, 



E 0 (Af) if; = 0 

next(?j,,state(j - ifO < ; < n. 


For any native signal s of M, the j th sequential value of s determined by V is defined as 


3v(j, s, V, M) = 7it'(s. state(j, V, M), M). 

Thus, the sequential values corresponding to a given matrix of input values are 
determined by the functions nv and next. As an illustration, we shall analyze the 
behavior of these functions for the modules edff and count3. Clearly, a state of edff 

is a state of dff , i.e., a Boolean value. If E is such a state and V = (v 3 v 4 ) is a data 
vector, then 


ru(Q, V, E, edff) = nu(Q, V, E. edf f ) = nu(Q, E, dff) = E 
and 

rv(QN, V, E, edff) = m>(QN, V, E, edff) = nu(QN, E, dff) = notl(E). 
Expanding the definition of tv , we have 

m(S4, V, E, edff) = nand2(nand2(notl(v 3 ),E),nand2(v 3 ,v 4 )), 

which is also the value of next( V, E, edff). A trivial calculation yields the following: 

Proposition 3.1 Let E and V = (v 3 u 4 ) be a state and a data vector for edff . Then 

nv(q, V, E, edff) = E and nv( QN, V, E, edff) = tio<1(E); 

next(V , E, edff) = ( ^ = T 

[ S tfv 3 = T. 
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A state of count3 is a vector of 3 Boolean values, corresponding to the mult( count3) = 
3 occurrences of edff . If E = ((To <Ti (T2) and V = (v 3 ) are a state and a data vector, 
then 

rv(Sl, V, E, count3) = 07id2(<To,<Ti), 
ru(S2, V, E, count3) = X0r2(and2(cro,<7i),<r 2 ), 
ru(S3, V, E, count3) = xor 2(<7o,(Ti), 
and it follows from Proposition 3.1 that 
next(V, E, count3) = 

f (not 1(<7 0 ) ior2((T 0 ,<Ti) zor2(and2(cro,£ri),<T 2 ) if v 3 = T 

{ E if U3 = T. 

This result is conveniently expressed in terms of the function inc(W), defined as follows 
for an arbitrary bit vector W : 

(1) If W = NIL, then inc(W) = NIL; otherwise: 

(2) If car(W) = T, then inc(W) = cons(F,inc(cdr(W)))\ otherwise: 

(3) inc(W) = cons(T,cdr(W)). 

Proposition 3.2 Let E = (<r 0 ai <r 2 ) and V = (v 3 ) be a state and a data vector for 
count3. Then 

nv(QQ, V , E, count3) = <To, 

nu(Ql, V \ E, count3) = <J\, 
nv(Q2, V , E, count3) = a 2 ; 

u\r v ^ / * nc (S) i/«3 = T 

next(V , E, count3) = < 2 ^ ^ 

3.4 Behavior of dff 

Naturally, the behavior of sequential modules depends on that of the primitive dff. 
A precise behavioral specification of dff is given by the following lemma, the proof of 
which is an elaboration of the informal argument found in [20]: 

Lemma 3.3 Let t x + 4000 < t_, t_ + 6000 < t 2 , and h<t f . Let p = (w c LK w RS t w d ) 
be an input packet for dff, and suppose that 

- T for all t € [ti - 6000, ti) U [t_, t 2 ) 

WclkW ~ j 7- f or cuts [ «!,*_), 

u) nST (t) = r for all t £ [fi - 8000, tj), 

and 

u> D (t) = d for all t £ [*i - 6000, tj). 

Let sim(dff,p,tf) = ((u» RN ) (w DD ) (uj ai ) ( w D1 ) (w A2 ) (in 0 i) (w q ) (iu Q n)) and let v = 
and2(notl(r),d). Then w Q (t) = v and w Q (t) = notl(v) for all t £ [fj +6000, f 2 + 4000). 
Moreover, if these same values hold for all t £ [ti,tr + 4000), then they also hold for all 
t £ [<i + 4000, t x +6000). 
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9 nnm° 0 ! : B . y Lem " ia5 31 and 2 ' 12 ’ we have «&** (0 = no*l(r) for all * g - 6000 , h + 

4000 / i P onnm 6 <? VT - tW °, ! emma5 asain ’ we have v for a11 <€[<,- 

4000 + 2000) Similarly, w M (t) = w 0i (t) = T for t 6 fa - 4000 , h + 2000), w B3 t) = 

U0 J> W [° r ,/ € ^ 20 ° 0, + 4000 )’ and hence w A1 (<) = v for t € [<!, ti + 4000). 

We shall consider the case v = the case v = T is similar. In this case, w Dl (t) = T 

for t e fa + 2000, ti + 6000), and hence w AJ (t) = T for t € [<j + 2000, t x + 6000) 

Let t be the least time such that t' > t, + 2000 and some waveform in the set 

{WAi,w Bu w Ai w Bt ] assumes a new value at f. Then w Al (t) = w A3 (t) = T and w 0l (t) = 

yj B2 (t) - T for t € [ti + 2000, t'). Since t' > 1 1 + 4000, it follows that w 0l (t) = 

w BJ (f) - T and w A ,(t) = 7 for t e fa + 4000, f + 2000). Similarly, w A3 (t) = ? for 

t € [*i + 4000 min{t' + 4000, t. + 2000)). Thus, only w A2 can possibly assume a new 

value at t , and this requires that t' > <_ + 2000. 

. Hence, w B1 (t) = T and w A3 (t) = F for t e [<i + 2000, t_ + 2000). It follows that 

40^0) T ^ 1 6 ** + 400 °’ l ~ + 400 °^ and henCe T for 4 € [ti + 6000, <_ + 

Let t" be the least time such that f" > t, +6000 and either w Q or u; QN assumes a new 
va ue a * y an argument similar to the above, it is easily shown that t” > £ 2 + 4000 

Eft >e,, ‘ + 600 °' ,! + 400<>, ' and ”«” (,) = T = 

Now suppose that w Q (t) = T and th QN (<) = T for t € fa, fj +4000). Then u- QN (t) = T 
for f 6 [tj, t 2 + 4000). It follows that w Q (t) = T for t £ [*! + 4000, t 2 + 4000). □ 

3.5 Parameters 

Our objective is to impose constraints on the input to a sequential module that will allow 
its outputs to be described m terms of sequential values. In particular, the clock input 
will be required to exhibit periodic behavior. We shall call each event of its associated 
waveform a rising or falling edge , according to whether its value is T or T. An interval 
between two successive rising edges is called a cycle. Each of the remaining inputs will 
e required to maintain a stable value over a prescribed interval preceding each rising 

thereafter *** inpU ‘ r2 ’ thiS Value is 7 for an initiaI c y cle - and ? for every cycle 

Under these constraints, we shall show that the behavior of M admits a fairly simple 
description A state of M will be associated with each rising edge. This state may 
computed from the data values prior to the edge and the previous state by the function 
t. The values of the outputs, which may change only during a short interval following 
a rising edge, are the corresponding sequential values. 

We shall describe the behavior of the signals of M in terms of several parameters 
First, we associate with each input other than the clock a setup time , which represents 
the duration over which the signal is required to hold constant prior to a rising edge. 

For the case M = df f , as suggested by Lemma 3.3, we define ° 

setup(RST.dff) = 8000 and setup(D, df f ) = 6000. 

Now suppose mult(M ) I = q > 0 and let s be any signal of M other than r,. Assume 
setup(s , M) has been defined for each s' * s that lies on a combinational path starting 

at s. For t = 1 let £ be defined as follows: 8 
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(1) If s ^ a ij for all j,l<j < m„ then C. = 0; otherwise: 

(2) If i < q, then Ci is the maximum setup(nth(j, I{p,)), Pi) suc h that 5 = a «i> 3 = 
2 , otherwise: 

(3) i > q , and (, is the maximum sum 

dmax(nth(j,0(pi)), Pi) + setup(bij,M) 
such that setup(bij, M) > 0, j = 1 , . ■ • , n,. 

Then setup(s,M) = max^i,. ■■ ,00- 

Each native signal of M is associated with a minimum and a maximum delay, which 
determine an interval during which the signal’s value may change following a rising edge. 
For the case M = dff, we define 

dmm(Q,dff) = dmin(QN, dff) = 4000, 


dmax(Q, dff) = dmax(QN,dff) = 6000. 

Now suppose mult{Ai) = q > 0 and let s = bij be any native signal of M . 
(1) If i < q, then 


dmin(s, M) = dmin(nth(j,0(m)), p x ), 


dmax(s, M) = dmax{nth(j,0{pi)),m)\ 


(2) If i > q, then 

dmin(s, M ) =dmin(nth(j, 0(p.i)), p,) 

+min(dmin(an, M), . . . ,dmin(ai mi ,M)), 

dmax(s, M) =dmax(nth(j, 0(pi)),pi) 

+max(dmax(an , M), . . . , dmax{ai mi , A/)). 

We also define three parameters pertaining to the behavior of the clock input of M, 
called the clock high, the clock low, and the minimum period of M. These represent 
the minimum durations between a rising edge and the next falling edge, a falling edge 
and the next rising edge, and successive rising edges, respectively. First, we define 
high(dii) = 4000, fotu(dff) = 6000, and permit) = 10000. For mult{M ) = q> 0, we 
define 


high(M) = max(high(fi \) , . . . , high(fi q ))\ 


low(M) = max(low(fii ), . . • , low{ii q ))\ 
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where 


per(M) = max{P u P 2 ,P 3 ), 


Pi = max {per (m) : 1 <i <q}\ 


P 2 = max{setup{r it M) : 2 < i < m}; 


P 3 = max{setup(bij, M) + dmax(nth(j, Oifu)),^) : 1 < i < q, 1 < j < n <}. 

Consider, for example, the circuits edff and count3. First, the setup times for 
the signals of edff may be computed directly from the definitions, by tracing along all 
combinational paths. For example, 

se«tip(RST, edff) = 8000, 
sefup(EN, edff) = 12000, 
setup(D, edff) = 10000; 

The setups for count3 follow trivially: 

se£up(RST, count3) = 8000, 
setup{ EN, count3) = 12000. 

or>/f Ct ’ d f°^ ows from our definitions that the reset input of every sequential module is 
8000. 

All outputs of both of these devices are registered. It follows that the minimum and 
maximum delay of each output are 4000 and 6000, respectively. 

,.nnrt imi j arly ’ the cIock hlgh and low of each device ( in fact, of anv sequential device) are 
4000 and 6000, respectively, as determined by dff. Calculation of the minimum period, 
on the other hand, involves a comparison of various setups and delays. In the case of 
edff, the minimum period is found to be 

setup(Q, edff) + dmax{ Q,dff) = 10000 + 6000 = 16000; 

for count3, it is 

setup{ Q0, count3) + dmaa:(Q, edff) = 14000 + 6000 = 20000. 

3.6 The Main Theorem 

The input constraints for sequential modules will be expressed in terms of the functions 
setup, high, low, and per. First, we define a waveform w to be an n-cycle pulse based 
at t 0 wth high h, low t, and period v = h + 1 if for k — 0 , . . . , n - 1, 

_ f T for all t € [to + kn, to + kir + h) 

\ T for all t 6 [< 0 + kx + h,t 0 + (k + 1)tt). 

K h - ht 9 h (M), l > low(M), and 7 r > per{M), then w is an admissible pulse for M. 
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Let V = {vi ... v„) be a bit vector and let x > u > 0. Let w be a waveform such that 
for k = 1, . . . , n, w(t) = v k for all t £ [t 0 + kx - u , t 0 + ktr). Then w is a stable n-cycle 
waveform based at to with setup u, value list V , and period x. If u setu.p(r 2l A/), 
vi = T, and v 2 = . . . = v r = T, then w is an admissible reset waveform for M. 

For i = 1, • ■ ■ , Jb) let Wi be a stable n-cycle waveform based at to with value list V,, 
setup m, and period tt. Let V = (Vi ... V k ), U = (ui ... «*), and W = (wi ... w k ). 
Then IF is a stable n-cycle packet based at to with value matrix V, setup list U, and 
period x. If k = m - 2 and u, = setup{r x+2 ,M) for i = 1 k, then IF is an admissible 

data packet for M ■ 

Let wi be an admissible (n + 2)-cycle pulse for M based at t 0 with period x. Let 
w 2 be an admissible (n + l)-cycle reset waveform for M based at t 0 with period x. Let 
«)3 , , , id,,) be an admissible n-cycle data packet for M based at f 0 + 7r with value matrix 

V and period x. Then (w k ... w m ) is an admissible n-cycle input packet for M based at 

to with value matrix V and period x . 

We may now state a behavioral specification for sequential modules: 

Theorem 3.1 Let s = nth{j,0(M)) be the j th output of a sequential module M , d! = 
dmax{s, M), and w = nth{j, outp{M, sim(M , p, t/))). 

Assume that p is an admissible n-cycle input packet for M based at to with value 
matrix V and period x, where tf > to + (n + l)x. For i = 0, . . . , n. letvi = sn(i, s, V, M). 
Then w is a stable (n + 1 )-cycle waveform based at t 0 + x with setup x - d! , value list 
(v 0 ... v n ), and period x; 

Assume further that s is a registered signal of M andvi- \ = v,, for somei, 1 <i<n. 
Then w{t) = Vi for all t € [to + (i + l)7r,to + (i + 2)ir). 

Theorem 3.1 is an immediate consequence of the following: 

Lemma 3.4 Let s = nth(j, 0(M )) be the j th output of a sequential module M, d = 
dmin(s,M), d' = dmax{s,M), and 

w as nth(j,outp(M,sim(M,p,tf))). 

Assume that p is an admissible n-cycle input packet for M based at t 0 with value matrix 

V and period x. Let t 0 + (n + 1 )tt = ti, h + x = t 2 , and assume h < t f . Let 
v = sv{n, s, V, M). Then u>(t) = v for all t € [ti + d ’ , t 2 + d). 

Suppose further that s is a registered signal of M. Ifn > 0 and sv(n- l,s, V, M) = v, 
then w(t ) = v for all t € [ti + d , t 2 + d). 

Proof: For the case M = dff , the lemma is simply a restatement of Lemma 3.3. 
Thus, we may assume that M i 1 dff and proceed by induction on the structure of M . 
Let V — (V3 ... F m ), where for i = 3, . . . , m, Vi = (im . . . Vi r ). For j = 0, . . . , n, let 
Ej = state(j, V, M). 

Let B = sim{M,p,tf), and for each signal s of M, let 
_ J nth(i, p) if s is a global input r* 

~ | the waveform for s determined by B if s is a local output bij , 

If s is not ri or r 2 , then for 0 < i < n, let 
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val{s, t) = rv(s, (v 3{l+l) . . . v m(e+1) ), E,, A/). 
If s is native, then by definition we have 


val{s, t) = nv(s, E t , M) = sv(t, s, V, M). 
Thus, for native s, we extend the definition to t = n by 


val(s, n) — sv(n, s, V, M). 

For any l € N, let t l = to + (£ + l)7r, so that = t n and 1 2 = t n+1 = t n + it. We 
shall prove, by induction on £, that the following three statements hold for each t < n: 

(a) For each i, 1 < 1 < q, mp(i,M,p,B) is an admissible ^-cvcle input packet for u. 
based at to with value matrix 

((ua/(a< 3 ,0) ... val(a i3 J- 1)) ... (t, a /(a, mi ,0) ... val{a imi ,t- 1))) 
and period n. 


(b) For each native signal 3 = bij of M , 

w,(t) = val(s,£) for all t 6 [t l + dmax(s, + dmin{s, M))\ 

if s is a registered signal of A/, then the same is true for the interval 
[t l + dmin{s , .V/). + dmin(s, M))\ 

(c) If t < n, then for each signal s of M other than ri and r 3 , 

w,(t) = val(sj) for all t £ [t /+1 - setup(s,M),t e+1 ). 

The lemma will then follow from (b), taking ( = n. 

Proof of (a): For i = 0, this follows from (3) and (4) in the definition of sequential 

module For t > 0, we must also invoke the inductive hypothesis that (c) holds with l 
replaced by t — 1 . 

Proof of (b): We induct on the length of the longest combinational path terminating 
at s. Let s -bij. In the base case, where i < q, the result follows from the inductive 
assumption that the lemma holds for the sequential submodule m, Lemma 2.12, and 
(a). In the inductive case, where i > q , it follows from Lemmas 2.12 and 3.2. 

Proof of (c): This is similarly proved by induction on the length of the longest 
combinational path terminating at s. In the base case, s is either a global input r, 

1 - ° r . a local output b^, i < q. If s = n, then the claim follows directly from the 

admissibility of the input packet p. Suppose 5 = b tJ , i < q. It follows from (b) that 

u> 3 (t) = val(s,£) for all t € [t* + dmax( 3 , M), t t+1 ). 

According to the definition of per(M), 


■k > setup(bij , , M) + dmax(nth(j, 0(/i<)),/ii). 

Hence, 

t + dmax(s , M) = t l+1 - x + dmax(nth(j, O(pi)), m) < t e+1 - setup(bij, M). 
The induction is completed as in the proof of (b). □ 
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4 Asynchronous Communication 

Suppose we have a circuit in which an output of one sequential module, called the sender, 
is connected to a data input of another, called the receiver. Under suitable conditions 
on the sender’s input, its output waveform is guaranteed by Theorem 3.1 to be stable 
with respect to the period of the sender’s clock. On the other hand, in order to apply 
the results of Section 3 to the behavior of the receiver, we must be able to assume that 
its input is stable with respect to the period of its own clock. In general, this is true 
only for a synchronous circuit, in which the two modules are driven by the same clock. 
In this section, we shall examine the asynchronous case, in which the two clock inputs 
have different periods. 

Our treatment of this problem is based on Moore’s model of asynchrony [15]. In this 
model, the behavior of a signal is characterized abstractly by three quantities: a base 
time, a period, and a bit vector (representing the values assumed on successive cycles). 
Moore postulates that the receiver’s input vector is determined by a function asynch , 
the arguments of which include the sender's output vector, the two periods, and the two 
base times. In this section, we shall present Moore’s function asynch and establish the 
applicability of his model to certain circuits represented in our language. In Section 5, 
we shall employ a theorem of Moore to show that if the sender s and receiver s periods 
are known to be approximately equal, then communication may be achieved by means 
of a well known protocol. 

4.1 Smooth and Quasi-Smooth Waveforms 

The communication protocol is motivated by the observation that if the time at which 
the receiver samples its input may be approximated by the sender, then the sender 
may successfully communicate a value by redundantly writing the value on sufficiently 
many successive cycles to guarantee that it is the value read by the receiver. For this 
purpose, the assumption that the sender’s output waveform is stable is too weak; the 
waveform must be known to be constant on each cycle during some critical interval. 
With this requirement in mind, we define a stable waveform to be smooth if its setup 
time coincides with its period. Thus, u; is a smooth n-cycle waveform based at t 0 
with value list V = (vi ... v n ) and period ir if for i = l,...,n, w(t) = Vi for all 
t € [to + (k ~ 1)tt> to + kv). 

A somewhat weaker notion of smoothness is needed to describe waveforms that are 
constant over some but not all cycles. First, we define a list V = (iq ... v n ) to be a 
generalized bit vector if each v> is either Boolean or the literal atom q. In this case, we 
shall call w a quasi-smooth n-cycle waveform based at to with value list V and period ir 
if for i = 1, . . . , n, either Vi = Q or w(t) = i>, for all t € [to + (k — l)ir, to + kir). (Thus, 
the value Q corresponds to cycles of unknown behavior.) 

Our first objective is to derive a nontrivial representation of an output waveform 
of a sequential device as a quasi-smooth waveform. For this purpose, we make the 
following definition: If v is a Boolean atom and V is a bit vector, then smooth(v, V) is 
the generalized bit vector V, where 

(1) If V = NIL, then V' = NIL; otherwise: 

(2) If car(V) = v, then V = con s(v, smoot h(v,cdr(V)))\ otherwise: 
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(3) V = cons(q, smooth(car(V),cdr(V))). 

Thus, if v = t* and V = (t* . . . v n ), then V' = (v[ ...<), where for * = 1, .... n, 

/_( Vi if Vi = i>i_i 

’ 1 qifwi^m.!. 

Lemma 4.1 Let s = nth(j, 0{M)) be a registered output of a sequential module M . Let 
w = nth(j,outp(M,sim(M,p,tf))), where p is an admissible n-cycle input packet for S 
based at t Q with value matrix V and period 7 r, and tf > £ 0 + (n + l) 7 r. 

LetU — (sv( 0, s,V,M) ... sv(n, s , V, M)). Then w is an n-cycle quasi-smooth wave- 
form based at t 0 + 2t r with value list smooth{car(U),cdr{U)) and period ir. 

Proof: For 0 < k < n, let U k = (sv(n -k,s,V,M) ... sr(n,s,V,M)) and V k = 
smooth(car(U k ) , cdr(U k )). We shall prove, by induction on k, that in is a ifc-cycle quasi- 
smooth waveform based at t 0 + (n - k + 2)7r with value list 14 and period ir. 

The base case k = 0 holds vacuously. For k > 0, since cdr(V k ) = I4_i, we need 
only consider car(I4) and the behavior of w on [t 0 + (n - k + 2)jt,< 0 + (n - k + 3)7r). 
If car (14) = Q, there is nothing to prove. In the remaining case. car(T4) = car(U k ) = 

car(t4-i), i.e., sv(n - k, s , V, M) = sv(n -k + l,s,V,M), and the result follows from 
Theorem 3.1. □ 


4.2 Describing Output as Input 

Next, for a given quasi-smooth waveform with period ir a (representing that of the 
sender s clock), we would like to derive an alternative representation as a quasi-smooth 
waveform with a given period x r (that of the receiver’s clock). Let w be an n-cvcle 
quasi-smooth waveform based at t, (a rising edge of the sender’s clock) with value list 
“ ( Vl • * * anc * period i r s . Assume t s < t r < t 3 +ir s (where t r represents a rising edge 
of the receiver’s clock). We shall construct a list of values V f = warp(V t t 9 , t r , ir s 7 r r ) 
such that w is a quasi-smooth waveform based at t r with value list V' and period w r 
The definition of warp requires several auxiliary functions. 

Let t satisfy t, <t<t a +nir a . Choose k so that t, + (k - l)jr a < t < t , + kir a . Then 

* “ i k J represents the number of cycles of the sender that intersect the interval 

[ir, i).) We define 


si 9 (V,t„t,n,) = { Ui ifvi = V2 = ... = Ut 

( Q if not. 

Under the same constraints on t, choose l so that t, + tir a < t < t a + (e + l)ir a . Then 

? ~ ^ 7 ■ J 1 ' ^ 3 re P rese nts the maximum sender’s rising edge that is not exceeded 

by t.) We define 


CW <•>*>*.) = t a + e* s 

and 

lst + (V,t a ,t,ir a ) = (v t+1 ... v n ). 
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Now we may define V f = warp(V \ t 3 ,t r ,7r 9y 7r r ): If t r + 7r r > t s + n7r a , then V' — NIL; 
otherwise, 

V 9 — cons(sig,warp(lst + ,t+ >t r -h 7r r ,7rj,7r r )), 
where sig = sig(V, t 3 ,t r + lst + = lst+(V, t s , t T + ir r ,7r 3 ), and = tf(V y t s ,t r + 

Lemma 4.2 Let w be a quasi- smooth n-cycle waveform based at t 9 with value list V 
and period ir 3 . Let 7r r > 0 and t 3 < t r < t s + tt 3 . Let V f = warp( V y t 9> t r , 7r Jt n r ) and 
let n f be the length o/V \ Then w is a quasi-smooth n r -cycle waveform based at t T with 
value list V f and period JT r . 

Proof: We may assume t r + ir r < t 9 + Ti7r 3 , for otherwise, n' = 0. Let K = (i»i ... i’ a ) 
and let sig , and be defined as in the definition of warp . By induction, we may 
further assume that w is a quasi-smooth (n 7 — l)-cycle waveform based at t r + flV with 
value list cdr{V f ) = warp(/s£+, t+, t r + 7r r ,7r s ,7r r ) and period 7r r . We need only show 
that either car(V f ) = sig = Q, or i& has the constant value sig on the cycle [£ r , tr + *>)• 
Suppose sig 7^ Q. Choose A: so that 2, 4- (fc — 1 )ir 3 < t r + nv < According 

to the definition of sig, sig = V\ = v? = . . . = Ufc, and hence, u)(t) = sig for all 
t € [t,, ts 4- AjTTj) 2 [t r ,tr + 7T r ). □ 

4.3 Eliminating Metastability 

Lemmas 4.1 and 4.2 together provide a representation of a registered output waveform 
from the sender as a quasi-smooth waveform with respect to the receiver’s clock. In 
order to achieve communication, we shall design a clocked state-holding device, called 
a d-latch , that converts a quasi-smooth input to a stable output. In our asynchronous 
circuit, this device will share the receiver’s clock, and its output will be connected to 
the receiver’s input. 

The d-latch will consist of an inverter and three nand gates. Its functionality will 
depend on the relative delays of these components. Thus, along with our standard gates 
notl and nand2, both of which have delay 2000, we shall require the following faster 
nand gate, fnand2: 

CBEHAV (A B) ( (NAND2 A B)) (1000) (INERTIAL)) 

We define dlatch to be the following module, which is diagrammed in Fig. 7: 

(STRUCT (CLK D) (S2) 

(notl nand2 nand2 fnand2) 

((CLK) (CLK D) (SI S3) (SO S2)) 

((SO) (SI) (S2) (S3))) 

Unlike all other circuits that we have encountered, the specified behavior of dlatch will 
also depend on the unique character of inertial delay. In particular, we shall need the 
following result: 
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nth? n(tn\ Let , nth( . h ° l [ M ^ = 5 be the J output of a behavioral module M. Let 
TM ( K ]) T “? nth U>P{M)) = INERTIAL. Let p be an input packet for M, let v 
be the combinational value of s w.r.t. p(t 0 ), and let w = nth(j,sim(M,p,t 0 ). 

(a) If w(t o) = v, then w = hist(w, t 0 ); 

(a) Ifw(to) ^ v , then w = cons((v, h), hist(w, t 0 )), where t 0 < < < 0 + d. 

Proof: By Lemma 2.13 and the definition of exec, 

w = inertial(w, v, t 0 , t 0 + d). 

The lemma follows from the definition of inertial. □ 

The behavioraf specification of dlatch is an instance of the following, with d 0 = 
— u 2 — 2000 and = 1000. 

Lemma 4.4 Let Go be the inverter 

CBEHAV (A) (N0T1 A) (<f 0 ) (INERTIAL)) 
and for i = 1, 2, 3, let G, be the nand gate 

(BEHAV (A B) (NAND2 A B) (d,) (INERTIAL)), 
where di < do and d 0 + d 3 < d x + d 2 . Let D = d 0 + d 3 + d 2 + d 3 . Let L be the module 
(STRUCT (CLK) (D) 

(G 0 G, G 2 G 3 ) 

((CLK) (CLK D) (SI S3) (S2 SO)) 

((SO) (SI) (S2) (S3))). 

Let p = (w CLK w D ) be an input packet for L, and assume that 

w clK {t) = [ 7 forallte[t + ,t^) 

w { r for ante [t_,t f ), 

wheret- >t++D andt f > t_+D. Let ({w 0 ) (w x ) (w 2 ) {w 3 )) = sim(L,p,t f ). Then 
wtjas a constant value v on [t_ + D, t f ). Ifw D has a constant value u on [t + ,t f ), then 

Proof: For each t E N, let B ( = ( M (w lit ) (w 2 , t ) = sim(L,p,t). Then for 

,. . ., , w, ui, <tf . et to — t_ + do. For each t > to, the following results may be 
derived from Lemmas 3.1 and 2.12: y 

(a) wo,t has the constant value F on [ t+ +d 0 ,t 0 ); 

(b) tp 3 .t has the constant value T on [<+ + d 0 + d 3 , t 0 + d 3 ); 

(c) u> 0 ,t has the constant value T on [t 0 , t s + <f 0 ); 

(d) w lit has the constant value T on [t_ +d l ,t f '+d l ). 

In particular, for each t > t 0 , w 0 , t and w lit are both constant on ft 0 ,M 
By Lemma 2.12, 1 ” 

(w 2 ,t) = sim(G 2 , (w ut w 3 ' t ),t) 
and 

(ws.i) = 5tm(G 3 ,(w 0 ,( w 2 ,t),t). 

We shall apply Lemma 4.3 to both G 2 and G 3 . 
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We shall show that for some t x € [t 0 ,t- + D) and some v € B, u> 2 ,t,(*i) = v and 
w 3 M (ti) = no*l(t>). Let w 2 , to (t 0 ) = v 2 and w 3 , to (t 0 ) = v 3 . We consider the following 
cases: 

Case 1 : v 3 = notl(ti2)- In this case, we take t x = t 0 and v = v 2 . 

Case 2 : v 3 = v 2 . By Lemma 4 . 3 (b), 

w 2 ,t 0 = cons((notl(v 2 ),t 2 ),hist(w 2 'i 0 ,t 0 )), 

where t$ < t 2 < to + d 2 , and 

w 3 , to = cons((notl(v 2 ),t t ),hi 3 t(w 3 ito ,to)), 

where to < t 3 < t$ + d 3 . 

Subcase 2 a: t 3 < t 2 . Here, t ntx t{to,P,B to ,L) = t 3 . By Lemma 2 . 7 , 

w>2,( 3 (<3) = ^2,(0 (h) = V2 


and 

iu 3 ,t 3 (<3) = W3,( 0 (t 3 ) = notl(v 2 ). 

Thus, we have t x = t 3 and v = v 2 . 

Subcase 2 b: t 2 < t 3 . In this case, t next (t 0 , p, B (o , L) = t 3 , and we have 
ti 2 ,t 2 (h) = w 2 , t 0 {t 2 ) = notl(v 2 ) 


and 

W3 t t 2 {t2) = WlSoih) - V2- 

In this case, <1 = £2 and v = not 1(^2)- 
Subcase 2 c: £2 = £3- We have 

t 2 (*2) = = not\(vz). 


By Lemma 4 . 3 (b), 


and 


W2 M = cons{{v2, £2 + d2)>W2,t 0 ), 


W3 =COns((v2>t2 + d3),W3 t t 0 )' 

It follows from our hypotheses that (£3 < <£2- Hence, 

^2,£ 3 W*2 + <*3) = notl(v 2 ) 


and 

'W3 T t2+<£ 3 (£2 + ^3) = v 2> 

Thus, £1 = £2 4 - d,3 and v = no£l(v 2 )- 

Now, by Lemma 4 . 3 (a), w 2M = hist{w 2 M ,t x ) and w 3M = hist(w 3 itl ,t x ). Hence, 
tnext(t X , Pi , L) > tf. It follows that for any t' 6 (<i,t/), B v = B tl , and in particular, 
w 2 < t,(t') = w 2 = w 2 M {t') = v. Thus, w 2 ,t t has the constant value v on [ti,f/) 2 

[f- + D , tj). 
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Figure 7: (a) dlatch 


(b) bpm 


for fL?\T P , 5 a ! o D h&S V° nstant value u on (4,*/). Then unit) = not\(u) 
for < € [4 + d u t + d x ). Since w 3 (t) = T on [<+ + do + d 3 , t 0 + d 3 ), the combinational 
value corresponding to S2 is u on the intersection of these intervals, [max(t+ + d u t+ + 
° +d 3 ) mmjt H-dj.t 0 + d 3 )) Thus, by Lemma 3 . 1 , w 2 (t) = u for t e [max(t + + 
di +d 2 4 +d° + d 3 +d 2 ),min(t_+d 1 + d 2 ,t 0 + d 3 +d 2 )). In particular, w 2 (t) = „ for 

°i ° ^i/ \ 2 US ’ V2 ~ U ' ^ oreover > Subcases 2 b and 2 c, in which w assumes 

the value not\(v 2 ) at some point in this interval, are eliminated. In the remaining cases 

V — t>2 — U. O o ) 

of MonrptV 0 r U 7r e u?, 0f the reSUltS ° f [15] ’ we muSt restate Lemma 4 - 4 in terms 
Moore function det. If V is a generalized bit vector and oracle is a bit vector, then 

det(V, oracle) is the bit vector V , defined as follows: 

(1) If V = MIL, then V = NIL; otherwise: 

(2) If car{V) G B, then V' = cons(car(V),det(cdr(V), oracle))-, otherwise: 

(3) If oracle = NIL, then V = cons(T,det(cdr(V), oracle)); otherwise: 

(4) V = cons(car (or acle),det(cdr(V),cdr (oracle))). 

Lemma 4.5 Let p = (w CLK w D ) be an input packet for dlatch, where u/ CLK is an n-cvcle 
pulse based at t 0 with high h > 7000, low t > 7000, and period x = h + i, and w D Ts a 
quasi-smooth n-cycle waveform based at t 0 with value list V and period it. Let 

((w 0 ) (wi) (w 2 ) (w 3 )) = sim(dlatch, p, tj), 

where t, > t 0 + nit. Then for some bit vector oracle, w 2 is a stable n-cycle waveform 
based at t 0 with setup l - 7000, value list det (V, oracle), and period it. 

Proof: We induct on n. For n = 0 , the statement is vacuous. For n > 0 we m&v 
assume that w - i is a stable (n - l)-cycle waveform based at t 0 + x with setup \ - 7000, 

on fT+A+TOOn 7 / 2'Z1 C u ^ and penod n - B y Lemma 4.4, u> 2 has a constant value v 
Tf “ ^t-(^7000),fo + x), and if car(V) Q, then car(V) = v. 

If car(V) - q, then let oracle = cons(v, oracle 1 ); otherwise, let oracle = oracle 1 In 
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either case, it ' 2 is a stable 71 -cycle waveform based at to with setup £ <000, value list 

det(V, oracle), and period tt. □ 

4.4 The Main Theorem 

In Section 5, we shall apply the results of this section to a circuit bpm, consisting of two 
sequential submodules, sndr and rcvr, and a dlatch: According to the definitions that 
we shall present later, sndr has 9 data inputs and one registered output, SOUT, while 
rcvr has one data input, SIN, and 9 outputs. The circuit bpm, which is diagrammed in 
Fig. 7, is defined as follows: 

(STRUCT 

(CLKS RSTS CIKR RSTR SEND 10 Ii 12 13 14 15 16 17) 

(DONE 00 01 02 03 04 05 06 07) 

(sndr dlatch rcvr) 

((CLKS RSTS SEND 10 II 12 13 14 15 16 17) 

(CLKR SOUT) 

(CLKR RSTS LOUT)) 

((SOUT) 

(LOUT) 

(DONE 00 01 02 03 04 05 06 07))) 

The following theorem summarizes our results on asynchrony, as they pertain to the 
module bpm. The theorem refers to Moore’s function asynch , which is defined as follows: 
Let V and oracle be bit vectors and let t s ,t r ,ic,,ir r £ N such that x, > 0, x r > 0, and 
t, <t r <t,+ir,. Then 

asynch{V, t s ,t r , it, ,T 7 r , oracle) = 

det(warp{smooth(T , V), t , , t r , x a , x r ), oracle). 

Theorem 4.1 Let p = (wclks worsts Wclkr ^rstr w send w o ••• ^-’r) l> e an input packet 
for bpm, where 

(a) (wclks worsts Wsend • • • ™ 7 ) is an admissible n, -cycle input packet for sndr 
based at b, with value matrix V and period tt,; 

(b) Wclkr is an admissible (n T + 2) -cycle pulse for rcvr based at b T with high h > 
7000, low l > 7000 4- setup(SIN, rcvr), and period ir r = h 4- £; 

(c) iurstr is an admissible ( n T 4- l)-cyc/e reset waveform for rcvr based at b r with 
period n r . 

Let t T = 6 r +7T r . Assume that 6 S + 2tt 3 < t r < b 3 +(n s + 2 )n 3 < £ r +n r :r r . Choose j so that 
bs+jx* < t r <b s + (j+ 1)tt s and let t s = b s +jn s . Assume sv(j — 2, SOUT, V, sndr) = T. 

Let U = ( sv(j - 1, SOUT, V, sndr) ... sv(n sy SOUT, V, sndr)). Let w LO v t be the wave- 
form for LOUT determined by sim{bpm,p y tj) t where t/ >t r + n T n r . Then for some bit 
vector oracle , (w C lkr ^rsth ^lout) is an admissible input packet for rcvr based at b T 
with value matrix 

(asynch(U y t $y t r , tTj, 7r ry oracle)) 

and period ir r . 
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Proof: Let w SOUT be the waveform for SOUT determined by sim(bpm,p,t f ). Ac- 
eor ing to Lemma 4.1, w SOVT is a quasi-smooth waveform based at t s with value list 
smooth(T,U) and period tr,. It follows from Lemma 4.2 that w SOUT is also a quasi- 
smooth waveform based at t r with value list warp(smooth{T , U), t s , t r , tr,, ir r ) and pe- 

?° _!r. in f ly \ by Lemma 4 - 5 < w lout is a stable waveform based at t r with setup 
t — <000 > aetup(SIN, rcvr), value list 

det(warp(smooth(T , U), t„ t r , tt,, ?r r ), oracle) = 
asynch(U , t„t r , 7r r , oracle)), 

for some oracle, and period 7 r r . □ 


5 Biphase Mark 

Moore’s formulation [15] of the biphase mark protocol is based on two functions, send 
and recv, which represent the computations performed by the sender and the receiver 
respectively. After presenting the definitions of these functions, we shall implement them 
in the design of the sequential modules sndr and rcvr. Then, using a theorem of Moore 
m combination with results of Section 4, we shall show that the circuit bpm achieves 
communication between these modules. 

5.1 Sending 

The function send returns a bit vector that represents an encoding of a given input bit 
vector msg Each bit of msg is encoded as a bit vector called a cell, computed as the 
alue of cell(x,n k,b), where b is the bit of msg to be encoded, x is the final bit of 
the preceding cell, and n and k are parameters of the protocol. A cell consists of two 
subcells, each of which is a uniform bit vector: a mark subcell of length n, followed by 
a code subcell of length k. The mark subcell is intended as a signal to the receiver that 
a new cel has been entered: each of its bits is notl(:c). The code subcell is the region 
in which the receiver is expected to look for information from which it will derive the 

v ue b of the encoded bit: if b - T, then each bit of this subcell is x; if b = T each bit 
is notl{x). 1 

The definition of cell requires three auxiliary functions. First, the subcells are con- 
structed by he function hstn: for any n 6 N and any *, listn(n,x) is the uniform vector 
( . . . x) of length n. Next, the two subcells are combined by the function app: for any 
two lists L = (ai ... a n ) and M = (6 t . . . 6.), a PP (L, M) = (a, . . . a n bi . . . b ™ Fina%! 
the bit occurring in the code subcell is determined by the Boolean function equal, where 
equal(x,y) - T iff x = y, i.e., equal(x,y) = notl(xor2(x,y)). 

Now, we may define 

cell(x, n, k, b) = app(listn(n,notl(x)),listn(k,equal(x,b))), 
and cells(x,n,k,msg) is defined as 

(1) NIL, if msg = NIL; 

(2) a PP( ce tt( x i n <k,car(msg)),cells(equal(x,car(msg)),n,k,cdr(msg))),ifm$g ^ NIL. 
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The protocol includes the convention that the value T is transmitted until the en- 
coded message is sent. Thus, the encoded bit vector constructed by send includes “pads” 
consisting arbitrarily many copies of T on both sides of the cells. The arguments of send 
include the lengths pi and p 2 of these pads: 

send(msg y Pi , n, k y p 2 ) = 

app(listn(p\, T), app(cells(T y n , k,msg), Ustn(p 2 < T))). 

5.2 Receiving 

Next, we define recv{hX,j y L)\ which may be shown, under suitable assumptions, to be 
the inverse of send. This function recovers a bit of the encoded message from each cell 
by first detecting the beginning of the mark subcell, and then reading and decoding a 
bit at a predetermined location within the cell, which has been calculated to lie within 
the code subcell. Its arguments are interpreted as follows: i is the number of bits of 
the original message yet to be recovered, x is the last bit to have been read (from the 
preceding cell), j is the location within the cell of the bit to be read, and L is the 
remaining input stream. 

The beginning of a new cell is detected by the function scan(x, I), which successively 
removes bits from the beginning of the list L until a value different from x is found. The 
recursive definition follows: 

(1) If L- NIL, then scan(x,L ) = NIL; otherwise: 

(2) If car(L) = x, then scan(x y L) = scan(x,cdr(L)); otherwise: 

(3) scan(x, L) = L. 

We shall require one other auxiliary function: If n 6 N and £ is a list, then cdrn(n, L ) 
is defined to be 

(1) £, if n = 0; 

(2) cdrn(n - 1 y cdr(L)) y if n > 0. 

Finally, we define recv(i,x,j, L) to be the bit vector msg , where 

(1) If i = 0, then msg = NIL; otherwise: 

(2) Let 5 = $can(x, L). If length(S) < fc, then msg = NIL; otherwise: 

(3) Let b = nth{k + 1, 5) and V = cdrn(k + 1, S). If 6 = x, then 
msg — cons(T,recv(i - 1,6, j, L'); otherwise: 

(4) msg = cons(T } recv(i - 1,6, 

1 For technical reasons, we shall slightly modify Moore’s original definition of this function. Our 
modification does not affect the validity of any of his results. 


38 


5.3 Moore’s Theorem 

Moore has proved a statement of correctness of the protocol for certain values of the 
parameters. The lengths of the mark and code subcells generated by send are taken to be 
n = 5 and k = 13, respectively. The index of the bit read by recv following the detection 
of an edge is j = 10, i.e., the eleventh bit after the edge is sampled. The theorem also 
depends on an assumption concerning the proximity of the two clock periods: 

Theorem 5.1 (Moore) Let n, > 0, 7r r > 0, and 17ir r < 18x, < 197r r . Let t s < t r < 

t, + ir 3 . Let msg be a bit vector of length k. Then for any bit vector oracle and any 
numbers pi and p?, 

recv(k, T, 10, asynch(send(msg , Pl , 5, 13, &), t„t r , jr,, tt r , oracle)) = msg. 

We shall apply Moore’s theorem to the specification of the circuit bpm. The sequential 
submodules sndr and rcvr of bpm remain to be defined. As we present the definitions 
of the these modules and their components, which are diagrammed in Figs. 8-12, we 
shall derive characterizations of their behavior that are analogous to Propositions 3.1 
and 3.2. The proofs of these results are based on straightforward calculations and have 
all been mechanically checked. Therefore, the details of these proofs are omitted here. 

5.4 Basic Components 

The message that is transmitted from sndr to rcvr will consist of eight bits. It is stored 
(by both sndr and rcvr) in a shift register, shift8, which is constructed from eight 
copies of the following 3-port cell, port3: 

(STRUCT 

(CLK RST SHIFT SIN LOAD DIN) 

(Q> 

(edff nand2 nand2 or2 nand2) 

((CLK RST S3 S4) (DIN LOAD) (SIN SHIFT) (LOAD SHIFT) (SI S2)) 

((Q QH) (SI) (S2) (S3) (S4) ) ) 

The behavior of port3 may be derived easily from that of edff (Proposition 3.1): 

Proposition 5.1 Let £ and V = ( shift sin load din) be a state and a data vector for 
port3. Assume that shift and load are not both T . Then 

nv(Q, V, E,port3) = E; 

{ sin if shift = T and load = ? 

din if shift = T and load = T 

E if shift = T and load = T. 

The register shift8 is defined as follows: 
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Figure 8: (b) shift8 

(STRUCT 

(CLK RST LOAD SHIFT SIN DO D1 D2 D3 D4 D5 D6 D7) 

(qo qi q 2 q3 q4 qs q6 q?) 

(port3 port3 port3 port3 port3 port3 port3 port3) 

((CLK RST SHIFT SIN LOAD DO) 

(CLK RST SHIFT qo LOAD Dl) 

(CLK RST SHIFT 01 LOAD D2) 

(CLK RST SHIFT q2 LOAD D3) 

(CLK RST SHIFT q3 LOAD D4) 

(CLK RST SHIFT q4 LOAD D5) 

(CLK RST SHIFT qS LOAD D6) 

(CLK RST SHIFT q6 LOAD D7)) 

((qo) (qi) (Q2) (Q3) (Q4) (qs) (Q6) (07))) 

Proposition 5.2 Let E = (cr 0 ... a 7 ) and V = (load shift sin d 0 ... d 7 ) be a state and 
a data vector for shift8. Assume that shift and load are not both T. Then 

m;(Qi, V, E, shift8) = , i = 0, . . . , 7; 

{ (sin <tq ■■■ <To) if shi ft = T and load = T 

(d 0 ... d 7 ) if shift = T and load = T 

E if shift = T and load = T. 

In order to describe the shifting operation that is performed by shift8, we define, for 
any b € B and any bit vector V, 
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shift(b,V) = / NIL /t if V = NIL 

l cons(b, shift(car(V), cdr(V))) if V ^ NIL. 

Thus. shift(sin, ( a 0 ... cr T )) = (sin cr 0 . . . <r 6 ). 

In addition to dff and edff , we shall require two other versions of the flip-flop. The 
rst of these, cdff , has an input CLR, which may be used to override the other data 
input D and reinitialize the state: 

(STRUCT 

(CLK RST CLR D) 

(Q QN) 

(dff notl nand2) 

((CLK RST OCR) (CLR) (D CN)) 

((Q QU) (CR) (DCN))) 

Proposition 5.3 Let E and V = (dr d) be a state and a data vector for cdff. Then 
nn(Q, V, E, cdff) = E and nv( QN, V, E, cdff) = tio<1(E) : 

next(V, E, cdff) = ( 7 */ clr = 7 

[ d if clr = T. 

The second, cedff, is a combination of edff and cdff: 

(STRUCT 

(CLK RST CLR EN D) 

(Q QN) 

(dff notl notl nand3 nand3 nand2) 

((CLK RST SS) (EN) (CLR) (q SI S2) (D S2 EN) (S3 S4)) 

((Q QN) (SI) (S2) (S3) (S4) (S5))) 

Proposition 5.4 Let E and V = (dr end) be a state and a data vector for cedff. Then 
nu(Q, V, E, cedff) = E and nv(QN, V, E, cedff) = notl(E); 

f T if clr — T 

next(V , E, cedff) = < d if clr = T and en =• T 

E if dr — T and en = T . 
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Figure 10: (a) counts (b) compS 


Using cedf f , we construct the following 5-bit counter, count5: 

(STRUCT 

(CLK RST CLR EN) 

(qo Q1 Q2 Q3 Q4) 

(cedff cedff cedff cedff cedff 
and2 and2 and2 xor2 xor2 xor2 xor2) 

((CLK RST CLR EN QNO) 

(CLK RST CLR EN XI) 

(CLK RST CLR EN X2) 

(CLK RST CLR EN X3) 

(CLK RST CLR EN X4) 

(qo qi) (ai q2) (A2 q3) (qo qi) (q2 ad (q3 A2) (q4 A3)) 

((QO qNO) (Ql QND (Q2 QN2) (q3 QN3) (Q 4 QN4) 

(AD (A2) (A3) (XD (X2) (X3) (X4))) 

Proposition 5.5 Let E = (oq • • • 04 ) and V = ( clren ) be a state and a data vector for 
counts. Then 

nv(Qi, V , E, counts) = <7;, i = 0, . . . , 4; 


next(V, E, count5) 


listn( 5, T) if clr = T 

inc(cnt) if clr = T and en — T 

E if clr = j F and en — T. 


For convenience in representing states of both counts and counts , we define, for 
k 6 N and n 6 N, 

, , f listn{ k,F) if n = 0 

k{n) - | inc(bvk(n - 1)) if n > 0. 
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Thus, bvk(n) is the fc-bit vector that represents the number n. 

We shall also require a combinational module, the following 5-bit comparator comp5: 

(STRUCT 

(CO BO Cl B1 C2 B2 C3 B3 C4 B4) 

(MATCH) 

(xor2 xor2 xor2 xor2 xor2 nor5) 

((CO BO) (Cl Bl) (C2 B2) (C3 B3) (C4 B4) (SI S2 S3 S4 S5)) 

((SI) (S2) (S3) (S4) (SS) (MATCH))) 

This module simply determines whether two given 5-bit vectors are equal, i.e., 

cu(MATCH, (co 60 Ci 6 , . . . c 4 b t ), comp5) = / 7 > f (<*••• c 4 ) = ( 6 q ... 64 ) 

1 7 if not. 


5.5 The Sender 

The action of sndr is controlled by the submodule scount, which is defined as follows: 
(STRUCT 

(CLK RST STOP BIT) 

(MARK CODE) 

(cdff counts or2 or2 to fO comp5 comp5) 

((CLK RST STOP SI) (CLK RST S2 Q) (BIT Q) (STOP BIT) () () 

(F QO F Q1 T Q2 F Q3 F Q4) (T QO F Q1 F Q2 F Q3 T Q4)) 

((q q») (qo qi q2 q3 q4) (si) (S2) (t) (f) (mark) (code))) 

A state of scount is a list (on cnt) of two components, corresponding to the two 
sequential submodules, cdff and counts. As long as both data inputs are 7, the value 
of on remains constant. While on = T, cnt is incremented repreatedly; while on = 7 

re “f 1 “ unchMged - If either is T, then on is set accordingly and cnt is reset 

to hw 5 (0). The output values are both determined by cnt: 

Proposition 5.6 Let E = (on cnt ) and V = (stop bit) be a state and a data vector for 


nv(MARK, V , E, scount) = / ^ 


nu(C0DE, V, E, scount) = | 


T 

7 


if cnt = 6v 5 (4) 
if cnt ^ 6w s (4); 


if cnt = bv$( 17) 
if cnt ^ 6v 5 (17); 


f (^^s(O)) 

next(V, E, scount) = < {T. bv$ ^ 

(T mc(cnt)) 

[ (7 cnt) 


The definition of sndr is as follows: 


if stop = T 

if stop = 7 and bit =T 
if stop = bit = 7 and on = T 
if stop = bit — 7 and on = 7. 
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(STRUCT 

(CLK RST SEND 10 II 12 13 14 15 16 17) 

(SQUT) 

(scount shift8 count3 edff or2 and2 and4 or3 fO) 

((CLK RST A4 02) (CLK RST SEND CODE F 10 II 12 13 14 15 16 17) 

(CLK RST MARK) (CLK RST 03 SOUT) (CODE SEND) (Q7 MARK) 

(MARK CO Cl C2) (A2 SEND CODE) ()) 

((MARK CODE) (QO Q1 Q2 Q3 Q4 Q5 Q6 Q7) (CO Cl C2) 

(Q SOUT) (02) (A2) (A4) (03) (F))) 

This module has two modes of operation. In one mode, it waits dormantly for the 
SEND input to become T. When this occurs, the current values of the other eight data 
inputs are loaded into the shift register, the state of the flip-flop edf f (which determines 
the output value) changes, and the controller scount begins counting. This mode is 
described by the following: 

Proposition 5.7 Let V = (sd 0 ...d 7 )bea data vector for sndr, and let E = (<?i <T2 Wa) 
be a state of sndr, where <j\ — (on cut). Assume that on — T and cut — 6t?5(0). Let 
S' = next(V, E, sndr). 

(a) If s = T, then E' = ((T 6u 5 ( 0)) (do . . . d 7 ) <73 notl(cr 4 )); 

(b) If s = T, then S' = E. 

In the other mode of operation, the register contents are encoded and transmitted. 
Each register bit is encoded as a cell consisting of a 5 -bit mark subcell and a 13 -bit 
code subcell, as measured by scount. The number of cells that have been transmitted 
is recorded as the contents of count 3 . At the end of each mark subcell, this number 
is incremented. At the end of each code subcell, the scount counter is reset and the 
register contents are shifted: 
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Proposition 5.8 Let V = (sd 0 . . . d 7 ) be a data vector for sndr, and let E = (a, o 2 a 3 a A ) 
be a state of sndr, where = (on cnt) and o 2 = (q 0 ... q 7 ). Assume that s = T and 
on = T. Let E = next(V, E, sndr). 

(a) If cnt = bv$(4) and <73 = bv 3(7), then 

= ((Fbv 5 (0)) o 2 inc(o 3 ) xor2(q 7 ,cr A ))\ 

(b) If cnt = bv 5 { 4) and o 3 ^ bv 3 (7), then 

D = ((7"^5(5)) o 2 inc(<r 3 ) xor2{q 7 ,a A ))\ 

(c) If cnt = 5u 5 (17), then 


E' - ((T 6i> 5 (0)) shifty, <r 2 ) o 3 not\{o A ))\ 
(d) If cnt 6v 5 (4) and cnt ^ bv s ( 17), then 

S' — {{T inc(cnt)) <r 2 <r 3 a A ). 

Our main theorem on sndr is the following specification: 


Pr ^??f lt r° n 5 ’ 9 Let V ~ ^ SEND V '° ■■■ be a list °f vectors, each of length 
n > 144. Let m = n - 144. Assume that for j = 1, . . . ,n, 


n th(j, V^ END ) 


■{ 


r 

T 


if j — m 
if j ^ m. 


Let d, - nth{m, V ti ), for i = 0, . . . , 7. Let svj = sv(j, SOUT, V, sndr), for j = 
Then (sv l . . . SVn ) = send{(d 7 . . . d 0 ), m, 5, 13, 0). 




Proof: Let E j = state(j, V.sndr), j = 0, ...,n. By Proposition 5.7(b), for j = 


Ej = Eo(sndr) = ((^fw 5 (0)) listn(8, T) bv 3 (0) F) 
and hence (sv 3 . . . sv m ) = listn(m,T). It remains to show that 

( st Wi ... sv n ) = cells(T,5, 13, (d 7 ... do)). 

By Proposition 5.7(a), 


£ m+1 = ((T6 v 5 (0)) (d 0 ... d 7 ) 6n 3 (0) T). 
We shall show that for all Jfc, 0 < k < 7, if 


Sm+i+is* =((T6v 5 (0)) app{listn{k,F),(do ... d 7 _ fc )) bv 3 (k) x), 

then 


(•S^m + l + is*: ... 5U n ) = Cells(x, 5, 13, (d 7 _Jt . . . do)). 
The proposition will follow from this result upon setting k = 0. 
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The proof is by induction on 7 — k. In the base case, k — 7, our assumption is that 
Sm+ 1 +I 8 fc = Sm +127 = ((T bv s ( 0)) app(listn{7, T), {do)) bv 3 (7) x). 

By Proposition 5.8(d), for f = 0, .... 4, 

Sm+i 27 +/ = ((T bvs(()) app(listn( 7,^), (do)) bv 3 { 7) x), 
and by Proposition 5.8(a), 

Sm+ 127+5 = Sm +132 = ((^ bv s (0)) app(listn{7, ?), (do)) bv 3 { 0) xor2(do,x)). 

By Proposition 5.7(b), E m +i 32 +r = Sm+i 32 for ( — 0, . . . , 12. It follows that 

(•sUm +127 . . . sv„) = app(listn(5, notl(x)), Ustn(l3, equal(d 0 , x))) 

= cell(x, 5, 13. do) 

= cells(x, 5, 13, (do)). 

In the inductive case, k < 7, we again have, for t - 0, ... ,4, 

Sm+i+i8fc+/ = ((Tbv 5 (()) app(listn(k,J r ),(d 0 ... d 7 -k)) bv 3 (k) x) 
by Proposition 5.8(d). By Proposition 5.8(b) and (d), for ( = 5 — . 17, 

Em+l + 18*:+e — 

((T bv$(i)) app(listn(k,J r ),(do ... d 7 - k )) bv 3 (k + 1) xor2(d 7 ~ k ,x)). 

Thus, (su m+ i+i8fc s!Wi + i8fc+i7) is 

app(listn( 5, no<l(x)), listn( 13, equal(d 7 - k , a;))) = cell(x, 5, 13, d 7 - k )- 
By Proposition 5.8(c), E m+1+ i 8 (fc+i) is 
((T bv 3 (0)) app(listn{k + l,J : ),(do ... d T _( fc+1 >)) bv 3 (k + 1) equal(d 7 - k ,x)). 

It follows from our inductive hypothesis that 

(su m + 1+1 8(ifc+i) ••• sv n ) = cells(equal(d 7 -k,x), 5,13, ( d 7-(k+i) do)), 

and hence (sum+i+is* • ■ • sv n ) is 

app(cell(x , 5, 13, d 7 - k ), cells(equal(d 7 - k , z), 5, 13, (d 7 -( k +i) ■ ■ ■ do)) 

= cells(x, 5, 13, ( d 7 -k ■ • • d 0 )). □ 

5.6 The Receiver 

Its action of the receiver is controlled by a submodule, rcount, which is defined as 
follows: 


46 



Figure 12: (a) rcount 


(b) rcvr 


(STRUCT 

(CLK RST STOP START) 

(BIT) 

(cdff count5 or2 tO fO comp5) 

((CLK RST STOP SI) (CLK RST STOP Q) (START Q) 

() 0 (T QO F Q1 F Q2 T Q3 F Q4)) 

((Q QN) (QO Q1 Q2 Q3 Q4) (Si) (T) (F) (BIT))) 

The functionality of rcount is similar to that of scount. A state is again a list 
(orient) of two components, corresponding to the two sequential submodules, cdff and 
count5. As long as both data inputs are ?, the value of on remains constant. While 
on — T, ent is incremented repreatedly; while on = T, ent remains unchanged. If STOP 

f y t r: n 071 and are reset to ? and *vs(0); otherwise, if START is T, then on is set 
to T. The output value is determined by comparing ent with bvs(9): 

Proposition 5.10 Let E = (on ent) and V = ( stop start) be a state and a data vector 
for rcount. Then 


7iv(BIT, V, E, rcount) 



if ent = bv 5 ( 9 ) 
if ent ^ bv 5 ( 9 ); 


next(V , E, rcount) 


(^^5(0)) if stop — T 
(T inc(cnt)) if stop = T and start = on = T 

(T ent) if stop = on = T and start = T 

(T inc(cnt)) if stop = start = T and on = T 

(T ent) if stop = start = on = F. 


The definition of rcvr is as follows: 
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(STRUCT 

(CLK RST SIH) 

(00 01 02 03 04 OS 06 07 DONE) 

(rcount edff count3 shift8 dff notl notl xor2 and4 fO) 

((CLK RST BIT H2) (CLK RST BIT HI) 

(CLK RST BIT) (CLK RST F BIT XFFFFFFFF) 

(CLK RST A) (SIH) (I) (SIH Q) (QO Q1 Q2 BIT) ()) 

((BIT) (Q QH) (QO Q1 q2) (00 01 02 03 04 05 06 07) 

(DOHE DOHEH) (HI) (H2) (X) (A) (F))) 

Like sndr, rcvr has two modes of operation. In the first mode, it waits for an edge, 
i.e., a change in input. This is detected by comparing the input with the state of the 
flip-flop edff, which is the negation of the most recently read value. In this mode, the 
controller rcount is turned off. When an edge is detected, rcount is turned on and its 
counter is reset: 

Proposition 5.11 Let V = (sin) be a data vector for rcvr, and let E = (01 cr? 03 0 4 05) 
be a state of rcvr, where (J\ = ( oncnt ). Assume that on = T , ent = 6115(0), and 05 = T . 
Let E' = next(V, E, rcvr). 

(a) If sin = 02. then E' = ((T 61/5(0)) 0% <73 04 T ); 

(b) If sin ^ 02, then E' = E. 

In its second mode, the receiver counts until it reaches the input bit to be sampled. 
At this point, the appropriate value is shifted into the register shift8, the bit counter 
count3 is incremented, the current input value is stored in edff, and rcount is turned 
off. When the eighth bit has been computed, the state of dff is altered to indicate 
termination: 

Proposition 5.12 Let V = (sin) be a data vector for rcvr, and let E = (01 02 03 0 4 05) 
be a state of rcvr, where 01 = (on cnt). Assume that on = T and 05 = T . Let 
E' = next(V, E, rcvr). 

(a) If cnt = 61/5(9) and 03 = 6 i/ 3 ( 7 ), then 

S' as ((/■ 61/5(0)) notl (sin) 6v 3 (0)) shift(xor2(<j 2 ,sin),<T i ) T); 

(b) If cnt = 61/5(9) and 03 ^ bv 3 (7), then 

E' = ((JF 61/5(0)) notl(sin) inc(o 3 ) shift(xor2(o 2 ,sin),cr i ) T)\ 

(c) If cnt 61/5(9), then E' = ((T inc(cnt)) 02 03 04 ?)• 

The specification of rcvr is given by the following lemma. For its proof, we require 
the following definition: If L and M are two bit vectors, then 

f M if L = NIL 

pus6(L, M) = | push( C dr(L), shift(car(L), M)) if L * NIL. 

Thus, if L = (xi ... x e ) and M = (yi ... y m ), where l < m, then 

push(L, M) = (xt ... ii 2/1 ... y m -t)- 
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Proposition 5.13 Let V = (V), where V is a bit vector of length n 
length(recv(8 , T, 10, V)) = 8. Then for some m, l <m<n, 


Assume that 


sv{j , DONE, V, rcvr) = { Z. K J ~ m 

{ F ifj< 771 . 

Fori= 1, .... 7, let d { = sv(m, 0 i, V, rcvr). Then 


{d 7 ... d 0 ) = recv(8, T, 10, V). 

Proof: Let V = ( Vl ... v n ). For j = 0 n, let Vj = (v j+1 ...v n ) and 

= 3tote(i, V, rcvr) = ((on, cnt,) //<;, bitsj re ff> done,). 

We shall prove the following generalization of the desired result: 

Suppose that for some j , on, = jr, cnt, = ^(0), done, = T for all i < j, and 

length(recv(8 - b , notl(fl gj ), 10, Vj)) = 8-6, 

where bit 3j = bv 3 (b). Then for some m > j, dona = T for all i < m, done m = T, and 

reg m = push(recv(8 - 6, notl{fl gj ), 10, Vj), regj). 

The proposition will then follow from the case j = 0. 

First note that according to our assumption, 


recv(8 - 6, notl(fl 9j ), 10, Vj) ± NIL, 

and hence, scan(notl(flgj), Vj) = V k for some k, j < k < n- 10. Thus, v { = notUflgA 
or 1 J + , ■ . . ,k, and v k +i = flgj. From the definition of recv, we have 

recv(8 - 6, notl(fl gj ), 10, Vj) = 

cons(xor2(fl gj , v k+n ), recv(7 - k, v k+n , 10, l^+ii )), 

and hence, 

length(recv(7 - b,v k+u , 10, F* +n )) = 7-6. 

By Proposition 5.11, E, = E, for i = j , . . . , k, and 


^k+i — ((T 6 u 5 (0)) flgj bitsj regj JF). 
By Proposition 5.12(c), for i = 0 , . . . , 9 , 


£*+i+i — ((T bv$(i)) flgj bitsj regj T). 

tion^ 12 P (a)° f ^ ^ lnduCti ° n on 7 ~ b - Consider first the base case, 6=7. By Proposi- 


£i+ii {(/■6 u 5 (0)) nofl(vfc + n) 6^3(0) shift(xor2(flgj,v k+ ii),regj) T). 
Here, the result holds for 771 = Jc -j- 11, since 
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push(recv(8 — 6, notl(flgj), 10, Vj) t regj)— push((xor2(f Igj , Vk+xi)) > regj) 

= $hift(xor2{flg jy Vk+n)iregj). 

Now suppose that b < 7, and assume that the claim holds with b replaced with 6+1. 
By Proposition 5.12(a), 

Sfc+n = ((^6t/ 5 (0)) not l(t>jfc+n) 6 i ? 3 (6 + 1) shift{xor2{flg jl v k + n )<reg j ) T). 

We may conclude that for some m > k + 11, dona = T for all i < m, done m = T, and 

re^ m = pus/i(rect;(7 — 6, 10, V*+n), shift(xor2(flgj> Vfc+n)t r€ 0j)) 

= pus/i(cons(xor2(/^j, Vfc4-n),^C'u(7 - 6 ,Vfc+n, 10, V k +u)) y regj) 

= pus/i(recv(8 - 6,notl(//^j), 10 , Vj),re<?j). □ 

5.7 The Main Theorem 

Finally, we present our main result concerning the circuit bpm. We assume that the 
two clock input waveforms are admissible pulses for sndr and rcvr, respectively, with 
periods that conform to the constraints imposed by Moore’s theorem, and that the other 
inputs are well-behaved with respect to the clocks, as required by Theorem 3.1. We also 
assume that the SEND input has the value T on exactly one cycle, during which an 
8-bit message is read from the other data inputs. This message is then encoded and 
transmitted by sndr, and received, decoded, and output by rcvr. As stated in the 
theorem, the completion of this process is signalled by the output DONE: when its value 
first becomes T, the other outputs display the decoded message. 

Theorem 5.2 Let pi n = (u> CLK s w RSTS w clkr ^rstr ^send Wo . . . wj) be an input packet 
for bpm, where 

(a) (c LKS WasTs Wsend w 0 ... w 7 ) is an admissible n s -cycle input packet for sndr 
based at b 3 with value matrix V s = (Vsekd V lQ ... V„) and period ir 3 ; 

( b ) w CLK r is an admissible (n r + 2)-cyc/e pulse for rcvr based at b r with high h > 
7000, low i > 7000 + setup{ SIN, rcvr), and period it r = h + l; 

(c) Wrstr is an admissible (n r + l)-cyc/e reset waveform for rcvr based at b r with 

period n r . 

Assume 17 < 187r a < 197r r . Suppose that for some m 3 , 1 < m s < n 3 - 144, 

nth(j, V SEND ) - | T if j jk m 3 , 1 < j < n 3 ; 

For i = 0, . . . , 7, let d> = nth(m 3 , V„). Let t T = b T + n T . Assume that b 3 + 2 tt 3 <t T < 
b 3 + (m a + 2 )tTj and b 3 4- ( n , + 2)7r a < t T + n r n r . 

Let pout — outp{bpm, sim(bpm,pi n ,tf)), where tf > t T + n T n T . Then p ou t is a stable 
n T -cycle packet based at t r + ir r with value matrix V r and period tt r , for some Vr 
(V done V O0 ... V 01 ). For some m r , 1 < m r < n r , 

v , _ I T if 3 ~ m r 

nth{], (/ done ) - | T if j ^ m T , \ < j < n r , 

and for i = 0, . . . , 7, nth{jn r , Vo») d{ . 
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Proof: We may assume, without loss of generality, that n, = m, + 144. For j = 
0, . . . , n,, let svj = sv(j, SOUT, V,, sndr). By Proposition 5.9, 

(sv! ... sv n .) = send((d 7 ... do), m„ 5, 13,0). 

Since sv 0 = T, we have svj = T for all j <m,. 

Fix; so that 6,+jx, < t r < 6, + (j + l)7r, and let t , = b s +jn s . Then 2 < j < m, + 2, 
and hence $Vj~ 2 = T. Let 

5 = (svj-i . . . sv n , ) = send((d 7 . . . do), m, - j + 2, 5, 13, 0) 

and let w LOVT be the waveform for LOUT determined by sim(bpm, p, t f ). By Theorem 4.1, 

(^clkr u/hstr ^lout ) is an admissible input packet for rcvr based at b T with value matrix 
(^4) and period 7r r , where 


.4 - asynch(U, t s , t r , tt 3 , tjy, oracle) 

for some bit vector oracle . 

Let V r = (Vp ON g V qo . . . V 07 ), where 

Kjone ~ ( •sv(l, DONE, (A), rcvr) ... sv(n r , DONE, (A) , rcvr)) 
and for z = 0, . . . , 7, 


V 0 i = (si’(l,0i, (.4), rcvr) ... sv(n r , Oi, (.4), rcvr)). 


By Theorem 3.1, p out is a stable n r -cycle packet based at 6 r + x r + jr r = t T + 7 r r with 
value matrix V r and period 7 r r . 

According to Moore’s Theorem, recv{S, T , 10, A) = (d 7 ... da). But then, by Propo- 
sition 5.13, there exists m r such that 1 < m r < n r , ’ 


nth(j, V^,one) — 


{ 


T 

T 


if j = m r 

if j ^ m T , 1 < j < n r , 


and 

(nth(m r , V 01 ) . . . nth(m r , 7 O0 )) = (d 7 . . . do). 
Thus, for i = 0, . . . , 7, nth{m r , V 0 ,) = d„ □ 


6 NASA’s Reliable Computing Platform 

The goal of NASA’s RCP project is an implementation of a provably correct operating 
system that provides the application software developer a mechanism for dispatching 
periodic tasks on a fault-tolerant computing base that appears as a single ultra-reliable 
processor. The RCP may be modeled at four levels of abstraction: 

(1) The uniprocessor model; 

(2) The fault- tolerant synchronous replicated model; 
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(3) The fault- tolerant asynchronous replicated model; 

(4) The hardware/software implementation. 

At the second level, fault-tolerance is achieved by voting results computed by the 
replicated processors, which operate on the same sensor inputs, and are assumed to 
behave synchronously. A verified version of this model was reported in Task 1 [1]. 

At the third level, the assumptions of the synchronous model must be discharged. 
This requires (a) a mechanism for achieving synchronzation among the clocks that drive 
the replicated processors and (b) a protocol for asynchronous communication. These 
were addressed in Tasks 2 [22] and 3 [15], respectively. 

Final realization of the RCP at the hardware level requires an appropriate hardware 
description language that will allow the integration of these previous results in an im- 
plementable design. This was the primary motivation for the present effort. Thus, we 
have designed a language that provides for the modeling of asynchronous circuits, at 
a sufficiently low level to allow straightforward implementation. In addition, we have 
demonstrated a methodology for deriving and verifying comprehensive descriptions of 
the behavior of these circuits. 

Our verification of the simple biphase mark circuit defined in Section 5 is a first step 
toward a verified RCP implementation. We would like to apply the same techniques, 
along with our previous results on Byzantine agreement and clock synchronization, to 
create a realistic implementation of a fault-tolerant circuit, verified at a greater level of 
detail than has been previously possible. 
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Appendix: Nqthm Formalization 
A Language Definition 


. j ************+*#********************+** *****+************************•** 

; J S-EXPRESSIONS 

• • *****#**♦***********•******♦♦*♦**+*******♦******♦ + ****** ************** 

; ; Some basic definitions (the first 5 are from Ps asynchrony file): 


(defn listn (n value) 

(if (zerop n) 
nil 

(cons v^lue 

(listn (subi n) value)))) 

(defn cdm (n 1st) 

(if (zerop n) 1st (cdm (subl n) (cdr 1st)))) 

(defn nth (n 1st) 

(car (cdm n 1st))) 

(defn boolp (x) (or (equal x t) (equal x f))) 

(defn bvp (x) 

(if (nlistp x) 

(equal x nil) 

(and (boolp (car x)) 

(bvp (cdr x))))) 

(defn bvpn (x n) 

(if (zerop n) 

(equal x ()) 

(and (boolp (car x)) 

(bvpn (cdr x) (subl n))))) 

(defn plistp (1) 

(if (listp 1) 

(plistp (cdr 1)) 

(equal 1 ()))) 

(defn firstn (n 1) 

(if (zerop n) 

O 

(cons (car 1) (firstn (subl n) (cdr 1))))) 


;; Boolean terms and their evaluation: 


(defn arities () 

J ((t0 . 0) (fO . 0) 


(notl 

. 1) 




(and 2 

> 2) 

(or2 

. 2) 

(nand2 

(and3 

. 3) 

(or3 

. 3) 

(nand3 

(and4 

. 4) 

(or4 

. 4) 

(nand4 

(and 5 

. 5) 

(or5 

. 5) 

(nandS 


2) 

(nor2 

2) 

(xor2 

2) 

3) 

(nor3 

3) 

(xor3 

3) 

4) 

(nor4 , 

, 4) 

(xor4 , 

. 4) 

5) 

(nor5 . 

. 5) 

(xor5 

. 5))) 
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(defn elemp (fn) 

(assoc fn (arities))) 

(defn arity (fn) 

(cdr (assoc fn (arities)))) 

(defn tennp$ (fig x 1) 

(if (equal fig ’list) 

(if (listp x) 

(and (tempi t (car x) 1) 

(tempi 'list (cdr x) 1)) 
t) 

(if (listp x) 

(and (elemp (car x)) 

(equal (length (cdr x)) (arity (car x))) 

(tempi 'list (cdr x) 1)) 

(member x 1)))) 

(defn applyO (fn) 

(case fn 

(to t) 

(fO f) 

(otherwise f))) 

(defn apply 1 (fn x) 

(case fn 

(notl (not x)) 

(otherwise f))) 

(defn apply 2 (fn x y) 

(case fn 

(and2 (and x y)) 

(or2 (or x y)) 

(nand2 (not (and x y))) 

(nor2 (not (or x y))) 

(xor2 (not (equal x y))) 

(otherwise f))) 

(defn apply3 (fn x y z) 

(case fn 

(and3 (and x y z)) 

(or3 (or x y z)) 

(nand3 (not (and x y z))) 

(nor3 (not (or x y z))) 

(xor3 (not (equal x (not (equal y z))))) 

(otherwise f))) 

(defn apply4 (fn w x y z) 

(case fn 

(and4 (and w x y z)) 

(or4 (or w x y z)) 

(nand4 (not (and w x y z))) 

(nor4 (not (or w x y z))) 

(xor4 (not (equal w (not (equal x (not (equal y z))))))) 
(otherwise f ))) 

(defn applyS (fn v w x y z) 

(case fn 

(andS (and v w x y z)) 
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(or5 (or v w x y z)) 

(nandB (not (and v w x y z))) 

(nor5 (not (or v » x y z))) 

(xor5 (not (equal v (not (equal w (not (equal x (not (equal y z))))))))> 
(otherwise f))) 

(defn eval (x a) 

(if (listp x) 

(case (arity (car x)) 

(0 (applyO (car x))) 

(1 ( apply 1 (car x) 

(eval (cadr x) a))) 

(2 (apply2 (car x) 

(eval (cadr x) a) 

(eval (caddr x) a))) 

(3 (apply3 (car x) 

(eval (cadr x) a) 

(eval (caddr x) a) 

(eval (cadddr x) a))) 

(4 (apply4 (car x) 

(eval (cadr x) a) 

(eval (caddr x) a) 

(eval (cadddr x) a) 

(eval (caddddr x) a))) 

(S (applyS (car x) 

(eval (cadr x) a) 

(eval (caddr x) a) 

(eval (cadddr x) a) 

(eval (caddddr x) a) 

(eval (cadddddr x) a))) 

(otherwise f)) 

(cdr (assoc x a)))) 


;;We define an "extended number” to be a number or F. (F represents 
;;infinity.) The following operations are defined on this set: 

(defn emin (x y) 

(if x 
(if y 

(if (lessp x y) x y) 

x) 

y» 

(defn emax (x y) 

(if x 
(if y 

(if (lessp x y) y x) 

y) 

X)) 

(defn eaddl (x) 

(if x 

(add! x) 
x)) 

(defn eplus (x y) 

(if y 
(if y 
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(plus x y) 

y) 

X)) 


» *•***♦*♦♦***** 

f 

;****«*«*+***„ 



;;* waveform is a list ((vn . tn) ... (vi tl) fvo , .. 

;;eaeh of which associate. > n« i , 1 ' t1 ' (v0 ■ t0 ^ °t svents", 

sr^.r =m 


(defn wavep (w) 

(if (listp w) 

(and (boolp (caar w)) 

(if (listp (cdr w) ) 

(and (wavep (cdr v)) 

(numberp (cdar u)) 

(lessp (cdadr w) (cdar w)) 

(not (equal (caadr w) (caar v)))) 
(and (equal (cdar v) 0) 

(equal (cdr v) ())))) 
f)) 


;;A packet is a list of waveforms: 

(defn packetp (1 n ) 

(if (zerop n) 

(equal 1 ()) 

(and (listp 1) 

(wavep (car 1)) 

(packetp (cdr 1) (subl n))))) 


J I The value of 
; ; as follows: 


a signal at a given time is 


computed from its waveform 


(defn wval (wave time) 

(if (listp wave) 

(if (lessp time (cdar wave)) 
(wval (cdr wave) time) 

(caar wave)) 


f)) 


(defn pval (packet time) 

(if (listp packet) 

(cons (wval (car packet) time) 
(pval (cdr packet) time)) 


; {Histories: 

(defn whist (wave time) 

(if (listp wave) 

(if (lessp time (cdar wave)) 
(whist (cdr wave) time) 
wave) 
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wave)) 


(defn phist (packet time) 

(if (listp packet) 

(cons (whist (car packet) time) 

(phist (cdr packet) time)) 

())) 

; ;To determine whether some waveform of a packet acquires a new value 
; ;at a given time: 

(defn wnewp (wave time) 

(if (listp wave) 

(if (lessp time (cdar wave)) 

(wnewp (cdr wave). time) 

(equal time (cdar wave))) 
f)) 

(defn pnewp (packet time) 

(if (listp packet) 

(or (wnewp (car packet) time) 

(pnewp (cdr packet) time)) 

f)) 

;;The basic propagation functions: 

(defn trans (w v tv) 

(if (listp w) 

(if (lessp (cdar w) tv) 

(if (equal (caar w) v) 
w 

(cons (cons v tv) w)) 

(trans (cdr w) v tv)) 

f)) 

(defn inert (w v tO tv) 

(if (listp w) 

(if (equal (wval w tO) v) 

(whist w tO) 

(if (lessp (cdar w) tv) 

(if (equal (caar w) v) 

(cons (car w) (whist w to)) 

(cons (cons v tv) (whist w tO))) 

(inert (cdr w) v tO tv))) 
f)> 



********* 




A behavioral module is a list M » (BEHAV X 0 R P D) , where 
I is a list of lit atoms , the inputs of M 
0 is a list of litatoms, the outputs of H 

R is a list of elementary Boolean terms over I, corresponding to the outputs 
0 is a list of delays corresponding to the outputs 
P is a list of modes (TRANS or INERT) corresponding to the outputs 
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(defn type (mod) 

;a litatom 
(car mod)) 

(disable type) 

(defn behavp (m) (equal (type m) ’behav)) 

(defn i (mod) 

;a list of litatoms 
(cadr mod)) 

(disable i) 

(defn o (mod) 

;a list of litatoms 
(caddr mod)) 

(disable o) 

(defn ni (mod) 

(length (i mod))) 

(defn no (mod) 

(length (o mod))) 

(defn r (mod) 

;a list of Boolean terms 
(cadddr mod)) 

(defn d (mod) 

;a list of positive numbers 
(caddddr mod)) 

(disable d) 

(defn p (mod) 

;a list of litatoms 
(cadddddr mod)) 

(disable p) 

(defn distinct-symbols (1) 

(if (listp 1) 

(and (litatom (car 1)) 

(not (member (car 1) (cdr 1))) 
(distinct-symbols (cdr 1))) 
t)) 

(defn check-modes (modes) 

(if (listp modes) 

(and (member (car modes) '(trans inert)) 
(check-modes (cdr modes))) 

t)) 

(defn check-delays (delays) 

(if (listp delays) 

(and (not (zerop (car delays))) 
(check-delays (cdr delays))) 
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t)) 


(defn check-behav Cm) 

(and (distinct-symbols (append (i m) (o m))) 

(equal (length (r m)) (length (o m))) 

(termp$ 'list (r m) (i m)) 

(equal (length (d m)) (length (o m))) 

(check-delays (d m)) 

(equal (length (p m)) (length (o m))) 

(check-modes (p m)))) 

(defn post-event (v v tO mode delay) 

(case mode 

(trans (trails w v (plus tO delay))) 

(inert (inert w .v tO (plus tO delay))) 

(otherwise f») 

(defn post-events (packet outs pval tO modes delays m) 

(if (listp packet) 

(cons (post-event (car packet) 

(eval (car outs) 

(pairlist (i m) pval)) 
to 

(car modes) 

(car delays)) 

(post-events (cdr packet) 

(cdr outs) 

pval 

to 

(cdr modes) 

(cdr delays) 
m)) 

())) 

• ;The semantics of behavioral modules are defined by a function EXEC of 
;;four arguments: (1) a module M, (2) an input packet INP, (3) an output packet 
; ; OUTP , and (4) a time TO. The value returned is the result of updating OUTP 
; by "executing" M on the input INP at time TO: 

(defn exec (m inp outp tO) 

(post-events outp (r m) (pval inp tO) tO (p m) (d m) m)) 


;;Gates are modeled as behavioral modules vith inertial delay: 


(defn tO () 

'(behav () (t) ((tO)) (2000) (inert))) 


(defn fO () 

* (behav () (f) ( (fO) ) (2000) (inert))) 


(defn notl () 

’(behav (a) (b) ((notl a)) (2000) (inert))) 
(defn and 2 () 

'(behav (a b) (c) ((and2 a b)) (2000) (inert))) 
(defn or2 () 

'(behav (a b) (c) ((or2 a b» (2000) (inert))) 
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(defn nand2 C) 

’ (behav (a b) (c) ((nand2 a b)) (2000) (inert))) 

(defn nor2 () 

'(behav (a b) (c) ((nor2 a b)) (2000) (inert))) 

(defn xor2 () 

’(behav (a b) (c) ((xor2 a b)) (2000) (inert))) 

(defn and3 () 

’(behav (a b c) (d) ((and3 a b c)) (2000) (inert))) 

(defn or3 () 

’(behav (a b c) (d) ((or3 a b c)) (2000) (inert))) 

(defn nand3 () 

’(behav (a b c) (d) ((nand3 a b c)) (2000) (inert))) 

(defn nor3 () 

’(behav (a b c) (d) ((nor3 a b c)) (2000) (inert))) 

(defn xor3 () 

’(behav (a b c) (d) ((ror3 a b c)) (2000) (inert))) 

(defn and4 Q 

’(behav (abed) (e) ((and4 abed)) (2000) (inert))) 
(defn or4 () 

’(behav (abed) (e) ((or4 abed)) (2000) (inert))) 
(defn nand4 () 

’(behav (abed) (e) ((nand4 abed)) (2000) (inert))) 
(defn nor4 () 

’(behav (abed) (e) ((nor4 abed)) (2000) (inert))) 
(defn xor4 () 

’(behav (abed) (e) ((xor4 abed)) (2000) (inert))) 
(defn and5 () 

’(behav (a b e d e) (g) ((and5 abed.)) (2000) (inert))) 
(defn or5 () 

(behav (a b c d e) (g) (( or 5 a b c d e)> (2000) (inert))) 
(defn nandS () 

(behav (a b c d e) (g) ((nandS a b c d e)) (2000) (inert))) 
(defn nor5 () 

(behav (a b c d e) (g) ((nor5 a b c d e)) (2000) (inert))) 
(defn xor5 () 

’(behav (abode) (g) (( X or5 abode)) (2000) (inert))) 


STRUCTURAL MODULES 
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a structural module is a list M » (STRUCT I 0 S LI LO), where 
I is a list of (global) inputs 
0 is a list of (global) outputs 
S is a list of submodules 

LI is a list of local inputs: each member of LI is a list representing 
the inputs to the corresponding submodule 
LI is a list of local outputs: each member of LI is a list representing 
the outputs to the corresponding submodule 


(defn structp (m) (equal (type m) Struct)) 

(defn s (m) 

;a list of modules 
(cadddr m)) 

(disable s) 

(defn li (m) 

; a list of lists of litatoms 
(caddddr m)) 

(disable li) 

(defn lo (m) 

;a list of lists of litatoms 
(cadddddr m)) 

(disable lo) 

(defn lookupl (key keys list) 

(if (listp keys) 

(if (member key (car keys)) 

(car list) 

(lookupl key (cdr keys) (cdr list))) 
f)) 

(defn find-lo (out m) 

(lookupl out (lo m) (lo m))) 

(defn find-s (out m) 

(lookupl out (lo m) (s m))) 

(defn find-li (out m) 

(lookupl out (lo m) (li m))) 

(defn lookup (key keys list) 

(if (listp keys) 

(if (equal key (car keys)) 

(car list) 

(lookup key (cdr keys) (cdr list))) 
f)> 

(defn find-o (out m) 

(lookup out (find-lo out m) (o (find-s out m)))) 

(defn match- inputs (subins subs) 

(if (listp subs) 
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(and (listp subins) 

(equal (length (car subins)) (ni (car subs))) 
(match-inputs (cdr subins) (cdr subs))) 
t)) 

(defn match-outputs (subouts subs) 

(if (listp subs) 

(and (equal (length (car subouts)) (no (car subs))) 
(match-outputs (cdr subouts) (cdr subs))) 
t)) 

(defn appears (x 1) 

(if (listp 1) 

(or (member x (car 1)) 

(appears x (cdr 1))) 
f)) 

(defn all-appear (1 m) 

(if (listp 1) 

(and (appears (car 1) m) 

(all-appear (cdr 1) m)) 
t)) 

(defn lists-all-appear (Is m) 

(if (listp Is) 

(and (all-appear (car Is) m) 

(lists-all-appear (cdr Is) m)) 
t» 

(defn none-appear (1 m) 

(if (listp 1) 

(and (not (appears (car 1) m)) 

(none-appear (cdr 1) m)) 
t)) 

(defn all-distinct-symbols (Is) 

(if (listp Is) 

(and (distinct-symbols (car Is)) 

(none-appear (car Is) (cdr Is)) 

(all-distinct-symbols (cdr Is))) 
t)) 

(defn check-struct (m) 

(and (equal (length (li m)) (length (s m))) 

(match-inputs (li m) (s m)) 

(equal (length (lo m)) (length (s m))) 

(match-outputs (lo m) (s m)) 

(all-appear (o m) (lo m)) 

(lists-all-appear (li m) (cons (i m) (lo m))) 
(all-distinct-symbols (cons (i m) (lo m))))) 

(prove-lemma lessp-count-submodules (rewrite) 

(implies (equal (type m) 'struct) 

(equal (lessp (count (s m)) (count m)) t)) 

((enable s type))) 

(defn modulep$ (flag m) 

(if (equal flag 'list) 

(if (listp m) 


63 


(and (modulepl t (car m)) 

(modulepl 'list (cdr m))) 

(equal a ())) 

(case (type m) 

(struct 

(and (check-struct m) 

(modulepl 'list (s a)))) 

(behav 

(check-behav m)) 

(otherwise f)))) 

(prove-lemma plistp-s () 

(implies (aodulep$ 'list s) 

(plistp s))) 

(defn modulep (m) 

(modulepS t m) ) 

(prove-lemma pliatp-s-m (rewrite) 

(implies (and (structp m) (modulep m)) 

(plistp (s m))) 

((use (plistp-s (a (s m)))))) 

; ;For a given structural module H, a bundle is an object that consists of 
;;a waveform corresponding to each output of each behavioral component of M 

(defn bundlepl (flag b m) 

(if (equal flag 'list) 

(if (listp m) 

(and (bundlepl t (car b) (car m)) 

(bundlepl 'liBt (cdr b) (cdr m))) 

(equal b ())) 

(if (structp m) 

(bundlepl 'list b (s m)) 

(packetp b (no m))))) 

(defn bundlep (b m) (bundlepl t b m)) 

; ;An output packet for M may be extracted from a bundle for M as follows: 

(defn select-wave (key signals packets) 

(if (listp packets) 

(if (member key (car signals)) 

(lookup key (car signals) (car packets)) 

(select-wave key (cdr signals) (cdr packets))) 
f)) 

(defn select-packet (keys signals packets) 

(if (listp keys) 

(cons (select-wave (car keys) signals packets) 

(select-packet (cdr keys) signals packets)) 

())) 

(defn outpl (flag m b) 

(if (equal flag 'list) 

(if (listp m) 

(cons (outpl t (car m) (car b)) 

(outpl flag (cdr m) (cdr b))) 

()) 
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Cease (type m) 

(struct (select-packet (o m) (lo m) (outp$ ’list (s m) b))) 

(behav b) 

(otherwise f)))) 

(defn outp (m b) (outp$ t m b)) 

;;A list of input packets for the submodules of M may be extracted from 
;;an input packet and a bundle for H as follows: 

(defn input-packet (ins p b m) 

(select-packet ins 
(cons (i m) (lo m>) 

(cons p (outpS 'list (s m) b)))) 

(defn input-packets (ins p b m) 

(if (listp ins) 

(cons (input-packet (car ins) p b m) 

(input -packets (edr ins) p b o)) 

())) 

(defn inps (m p b) 

(input-packets (li m) p b m)) 

;;The semantics of structural modules are defoned by a function STEP of 
;;four arguments: (1) a module M, (2) an input packet P for M, (3) a bundle 
;;B for H, and (4) a time TO. The value is the result of updating B by executing 
; ;each behavioral component of H for which some input acquires a new value 
; ;at time TO: 

(defn step$ (flag m p b tO) 

(if (equal flag ’list) 

(if (listp m) 

(cons (step! t (car m) (car p) (car b) to) 

(stepS ’list (edr m) (edr p) (edr b) tO)) 

()) 

(case (type m) 

(struct (stepS ’list (s m) (inps m p b) b tO)) 

(behav (if (pnewp p tO) (exec m p b tO) b)) 

(otherwise f)))) 

(defn step (m p b tO) (step S t m p b tO)) 


; examples : 


(defn adder2 () 

f (struct (a b c) (1 h) 


( , (nand2) , (nand2) ,(nand2) ,(nand2) , (nand2) ,(nand2) ,(nand2) ,(nand2) 
((a b) (a tl) (b tl) (t2 t3) (c t4) (t5 t4) (c tS) (tS tl) (t7 t6)) 

((tl) (t2) (t3) (t4) (t5) (t6) (t7) (h) (1)))) 


, (nand2)) 


(defn dff () 

f (struct (elk rst d) (q qn) 

(,(notl) , (and2) , (nand2) , (nand2) , (nand3) , (nand2) , (nand2) ,(nand2)) 
((rst) (rn d) (b2 bl) (al elk) (bl elk b2) (a2 dd) (bl qn) (q a2)) 

((rn) (dd) (al) (bl) (a2) (b2) (q) (qn)))) 
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(defn fnand2 () 

* (behav (a b) (c) ((nand2 a b)) (1000) (inert))) 

(defn dlatch () 

'(struct (elk d) (s2) 

(,(notl) , (nand2) , (nand2) ,(fnand2)) 

((elk) (elk d) (si s3) (sO s2)) 

((sO) (si) (s2) (s3) ))) 


************************************************************** ********* 
SIMULATION 

*********************************************************************** 


• ;The top-level simulation function SIM takes three arguments: (1) a module 
;;M, (2) an input packet P for H, and (3) a termination time TF . The value 
; ; returned is the bundle produced by simulating M with input P over the 
;; interval from 0 to TF. 

; ;The time at which each simulation cycle occurs is computed by the function 
; ; TNEXT . Its arguments are (1) the time TO of the last simulation cycle, 

; ; (2) the input packet P, (3) the curent bundle B, and (4) the module M. 

; ;The value returned is the time of the earliest event occurring in either 
;;P or B that is later than TO, if such an event exists, and F otherwise. 

(defn tnextw (wave tO) 

(if (listp wave) 

(if (lessp tO (edar wave)) 

(if (lessp tO (edadr wave)) 

(tnextw (edr wave) tO) 

(edar wave)) 
f) 

f)) 

(defn tnextp (p tO) 

(if (listp p) 

(emin (tnextw (car p) tO) 

(tnextp (edr p) tO)) 
f)) 

(defn tnextb$ (flag bun m tO) 

(if (equal flag 'list) 

(if (listp m) 

(emin (tnextbl t (car bun) (car m) tO) 

(tnextb$ 'list (edr bun) (edr m) tO)) 
f) 

(case (type m) 

(struct (tnextb$ 'list bun (s m) tO)) 

(behav (tnextp bun tO)) 

(otherwise f)))) 

(defn tnext (tO p b m) 

(emin (tnextp p tO) (tnextbS t b m tO))) 

; ;The function RUN is the guts of the simulator. Its arguments are 
;;(1) a module M, (2) an input packet P, (3) an initial bundle B, 

; ; (4) an initial time TO, and (5) a termination time TF . It simulates 
; ;H over the interval from TO to TF, repeatedly calling STEP. 
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(prove-lemma lesap-tnextw (rewrite) 
(implies (tnextw w tO) 

(lessp tO (tnextw w tO)))) 

(prove-lemma lesap-tnextp (rewrite) 
(implies (tnextp p tO) 

(lessp tO (tnextp p tO)))) 

(prove-lemma lessp-tnext-b (rewrite) 
(implies (tnextbS flag b m tO) 
(lessp tO (tnextbl flag b a tO)))) 

(prove-lemma lessp-tnext (rewrite) 
(implies (tnext tO p b m) 

(lessp tO (tnext tO p b m)))) 

(defn run (m p b tO tf) 

(let ((tnext (tnext tO p b ■))) 

(if (and tnext (leq tnext tf)) 

(run m p (step m p b tnext) tnext tf) 
b)) 

((lessp (difference tf tO)))) 


;;5IH calls RON with an initial time TO • 0 and an initial bundle that 
;;is computed by first associating the trivial waveform (<F . 0)) with 
;;each signal of H, and then executing every behavioral component of H: 

(defn wO () ‘((,f . o))) 

(defn bOJ (fig m ) 

(if (equal fig ’list) 

(if (listp m) 

(cons (bO$ t (car m)) (bO$ ’list (cdr m))) 

O) 

(case (type o) 

(struct (bO$ 'list (a m))) 

(behav (listn (no m) (wO))) 

(otherwise f)))) 

(defn bO (m) (bO$ t m)) 

(defn init$ (fig m p) 

(if (equal fig 'list) 

(if (listp m) 

(cons (init$ t (car m) (car p)) 

(init$ 'list (cdr m) (cdr p))) 

0) 

(case (type m) 

(struct (init$ 'list (a m) (inps m p (bO m)))) 

(behav (exec o p (bO m) 0)) 

(otherwise f)))) 

(defn init (m p) 

(init$ t m p)) 

(defn sim (m p tf) 

(run m p (init m p) 0 tf)) 
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B Properties of the Simulator 


. ;**************************************+******************************•***** 
\ WAVEFORMS AND PROPAGATION 

. j ********************* ************** ************************* *************** 

; ;The value of a waveform at any time is a Boolean: 

(prove-lemma boolp-wval (rewrite) 

(implies (vavep w) 

(boolp (wval w tO)))) 

;;The value of a packet at any time is a bit vector: 

(prove-lemma bvp-pval (rewrite) 

(implies (packetp p n) 

(bvpn (pval p tO) n)) 

((disable boolp))) 

; ;Any history of a waveform is a waveform: 

(prove-lemma wavep-whiat (rewrite) 

(implies (vavep w) 

(wavep (whist w tO)))) 

(prove-lemma listp-whist (rewrite) 

(implies (wavep w) 

(listp (whist w tO)))) 

; ;The history of a waveform W w.r.t. at time TO has the same value 
; ; at TO as W: 

(prove-lemma whist-value (rewrite) 

(equal (wval (whist w tO) tO) 

(wval w tO))) 

(prove-lemma wval-caar-whist (rewrite) 

(implies (wavep w) 

(equal (wval w tO) (caar (whist w tO))))) 

(disable wval-caar-whist) 

(prove-lemma leq-cdar-whist-tO (rewrite) 

(implies (wavep w) 

(not (lessp tO (cdar (whist w tO)))))) 

(prove-lemma lessp-cdar-whist (rewrite) 

(implies (and (wavep w) 

(not (equal (wval w tO) (caar v)))) 

(lessp (cdar (whist w tO)) (cdar v)))) 


;;The history of W w, r . t . TO has a constant value for all Ti >» TO: 

(prove-lemma wval-whist (rewrite) 

(implies (and (wavep w) 

(leq tO tl)) 

(equal (wval (whist w tO) tl) 

(caar (whist w tO))))) 
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(prove-lemma leq-cdar-whist (rewrite) 

(not (lessp tO (cdar (whist w tO))))) 

(prove-lemma leq-cdar-whist-tO-rewrite (rewrite) 

(implies (and (vavep w) 

(lessp tO tv)) 

(equal (lessp (cdar (whist w tO)) tv) t)) 

((use (leq-cdar-whist-tO) ) )) 

;;Both propagation functions, TRAMS and INERT, transform wavaforns 
;;into waveforms; 

(prove-lemma wavep-trans (rewrite) 

(implies (and (vavep w) 

(boolp v) 

(not (zerop tO))) 

(wavep (trans w v tO)))) 

(prove-lemma wavep-inert (rewrite) 

(implies (and (wavep w) 

(boolp v) 

(lessp tO tv)) 

(wavep (inert w v tO tv))) 

((induct (inert w v tO tv)) 

(disable boolp) 

(enable wval-caar-whist))) 

;;Both propagation functions are "nonretroactive 1 ' , i.e. f do not 
waiter the history of a waveform w.r.t. the current time: 

(prove-lemma trans -nonretroactive (rewrite) 

(implies (and (wavep wave) 

(lessp tO tl)) 

(equal (whist (trans wave val tl) tO) 

(whist wave tO)))) 

(prove-lemma inert-nonretroactive (rewrite) 

(implies (and (wavep wave) 

(lessp tO tv)) 

(equal (whist (inert wave val tO tv) tO) 

(whist wave tO))) 

((induct (inert wave val tO tv)))) 

;;Th« predicate WCONP determines whether a waveform V has a constant 
; lvalue V over a time interval [T1.T2): 

(defn wconp (w v tl t2) 

(if (listp w) 

(if (lessp (cdar w) t2) 

(and (leq (cdar w) tl) 

(equal (caar w) v)) 

(wconp (cdr w) v tl t2)) 
f)) 

(prove-lemma wval-wconp (rewrite) 

(implies (and (wconp w v tl t2) 

(wavep w) 

(leq tl tp) 
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(lessp tp t2)) 

(equal (wval v tp) v))) 

; ;The waveform (TRANS W V TV) hae the constant value V 
; ;for all T2 >- TV: 

(prove-lemma wconp-trans-1 (rewrite) 

(implies (and (wavep w) 

(not (zerop tv)) 

(lessp tv t2)) 

(wconp (trans w v tv) v tv t2))) 

; ;The waveform (INERT W V TO TV) has the constant value V 
; ;for all T2 >- TV: 

(prove-lemma wconp-inert-1 (rewrite) 

(implies (and (wavep w) 

(lessp tO tv) 

(lessp tv t2)) 

(wconp (inert w v tO tv) v tv t2)) 

((enable wval-caar-whist))) 

; jlf W has the constant value U over [Tl, T2) , where T1 <■ T2 <* TV, 

; ; then so does (TRANS W V TV) : 

(prove-lemma wconp-trans-2 (rewrite) 

(implies (and (wavep w) 

(wconp w u tl t2) 

(leq tl t2) 

(leq t2 tv) 

(not (zerop t2))) 

(wconp (trans w v tv) u tl t2))) 

;;If W has the constant value U over [Tl , T2 ) , where 
; ;T1 <* TO <■ T2 <* TV, then so does (INERT W V TO TV): 

(prove-lemma wconp- inert-2 (rewrite) 

(implies (and (wavep w) 

(wconp w u tl t2) 

(lessp tO tv) 

(leq tl tO) 

(leq tO t2) 

(leq t2 tv)) 

(wconp (inert w v tO tv) u tl t2))) 

; ;Both propagation functions are ’’idempotent" in the following sense: 

(prove-lemma trans-trans (rewrite) 

(implies (and (wavep w) 

(leq tvl tv2)) 

(equal (trans (trans w v tvl) v tv2) 

(trans w v tvl)))) 

(prove-lemma inert-inert (rewrite) 

(implies (and (wavep w) 

(lessp tOl tvl) (lessp t02 tv2) 

(lessp tOl t02) (lessp tvl tv2)) 

(equal (inert (inert w v tOl tvl) v t02 tv2) 

(inert w v tOl tvl))) 
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((induct (inert w v tOl tvl)) 
(enable wval-caar-whist))) 

(disable trans) 

(disable inert) 


BEHAVIORAL MODULES ***************** 


; ; Execution of a behavioral module depends only on the current value of 
;;the input (i.e., it is independent of both past and future input): 

(prove-lemma exec-comb (rewrite) 

(implies (equal (pval pi tO) (pval p2 tO)) 

(equal (equal (exec m pi pout tO) (exec m p2 pout tO)) 

t ) ) ) 

(prove-lemma exec-nonret -1 () 

(implies (and (check-delays d) (equal (length d) n) 

(check-modes pm) (equal (length pm) n) 

(packetp pout n)) 

(equal (phist (post-events pout r inv tO pm d m) tO) 

(phist pout tO)))) 

;; Execution is "nonretroactive 1 ', i.e.. does not alter the history of 
;;the output packet: 

(prove-lemma exec-nonretroactive (rewrite) 

(implies (and (modulep m) 

(behavp m) 

(packetp pout (no m))) 

(equal (phist (exec m pin pout tO) tO) 

(phist pout tO))) 

((use (exec-nonret-1 (d (d m)) (pm (p m)) (n (no m)) 

(r (r m)) (inv (pval pin to)))))) 

(prove-lemma exec-idem-1 () 

(implies (and (check-delays d) (equal (length d) n) 

(check-modes pm) (equal (length pm) n) 

(packetp pout n) 

(lessp tO tl)) 

(equal (post-events (post-events pout r inv tO pm d m) 
r inv tl pm d m) 

(post-events pout r inv to pm d m)))) 

; ; Execution is "idempotent" in the following sense: 

(prove-lemma exec-idempotent (rewrite) 

(implies (and (modulep m) 

(behavp m) 

(packetp pout (no m)) 

(lessp tO tl) 

(equal (pval pin tO) (pval pin tl))) 

(equal (exec m pin (exec m pin pout tO) tl) 

(exec m pin pout tO))) 

((use (exec-idem-1 (d (d m)) (pm (p m)) (n (no m)) 

(r (r m)) (inv (pval pin tO)))))) 
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; ;We shall prove that under normal conditions, execution always 
; ; produces a valid output packet. We must first show that evaluation 
;;of a Boolean term always produces a Boolean value: 

(prove-lemma boolp-applyO (rewrite) 

(boolp (applyO fn))) 

(prove-lemma boolp-applyl (rewrite) 

(boolp (apply 1 fn x))) 

(prove-lemma boolp-apply2 (rewrite) 

(boolp (apply2 fn x y))) 

(prove-lemma boolp-apply3 (rewrite) 

(boolp (apply 3 fn x y z))) 

(prove-lemma boolp-apply4 (rewrite) 

(boolp (apply4 fn v z y z))) 

(prove-lemma boolp-applyS (rewrite) 

(boolp (apply5 fn v w x y z))) 

(prove-lemma boolp-eval-list (rewrite) 

(implies (listp x) 

(boolp (eval x a))) 

((expand (eval x a)) 

(disable applyO applyl apply2 apply3 apply4 applyS boolp arity))) 

(prove-lemma boolp-eval-nlistp (rewrite) 

(implies (and (termpl t term i) (nlistp term) 

(bvpn pval (length i))) 

(boolp (eval term (pairlist i pval))))) 

(prove-lemma boolp-eval (rewrite) 

(implies (and (termpl t term i) 

(bvpn pval (length i))) 

(boolp (eval term (pairlist i pval)))) 

((expand (eval x a)) 

(disable applyO applyl apply2 apply3 apply4 applyS boolp arity))) 

(defn ppe-induct (d pm r pout n) 

(if (zerop n) 
t 

(ppe-induct (cdr d) (cdr pm) (cdr r) (cdr pout) (subl n)))) 

(prove-lemma packetp-post-eventa () 

(implies (and (check-delays d) (equal (length d) n) 

(check-modes pm) (equal (length pm) n) 

(termp$ ’list r (i m)) (equal (length r) n) 

(bvpn inv (length (i m))) 

(packetp pout n)) 

(packetp (post-events pout r inv tO pm dm) n)) 

((induct (ppe-induct d pm r pout n)))) 

(prove-lemma packetp-exec (rewrite) 

(implies (and (modulep m) 

(behavp m) 

(packetp pin (length (i m))) 
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(packetp pout (length (o m)))) 

(packetp (exec m pin pout tO) (length (o n)))) 

((use (packetp-post-events 

(d (d m)) (pm (p m)) (r (r m)) (n (no m)) (inv (pval pin tO)))))) 


;;«**m**mmm******mm*mm*+**m*m******m********mm*«m*«m*****m 

;; STRUCTURAL MODULES 

;;M«M*m«******M***MMMM*m*«Mm«MM*M*+*M*M***««m*«« 
;;We extend the notion of "history’' to bundles in the natural way: 

(defn bhiatl (flag b a tO) 

(if (equal flag 'list) 

(if (listp m) 

(cons (bhiatl t (car b) (car m) tO) 

(bhistl 'list (cdr b) (cdr m) tO)) 

()) 

(if (structp m) 

(bhistl ’list b (s m) tO) 

(phist b tO)))) 

(defn bhist (b m tO) 

(bhistl t b m tO)) 

(prove- lemma stepl-nonret () 

(implies (and (modulepl flag m) 

(bundlepl flag b m)> 

(equal (bhistl flag (step$ flag m p b tO) m tO) 

(bhistl flag b m tO))) 

((disable exec))) 

; ;STEP is "nonretractive" , i.e., does not alter the history of 
;;its third argument: 

(prove-lemma step-nonretroactive (rewrite) 

(implies (and (modulep m) 

(bundlep b m)) 

(equal (bhist (step m p b tO) m tO) 

(bhist b m tO))) 

((use (stepl-nonret (flag t))))) 


(prove-lemma whist-lookup (rewrite) 

(implies (equal (phist pi tO) (phist p2 tO)) 
(equal (equal (whist (lookup z v pi) tO) 
(whist (lookup z v p2) tO)) 
t))) 

(defn phistl (flag p tO) 

(if (equal flag ’list) 

(if (listp p) 

(cons (phistl t (car p) tO) 

(phistl ’list (cdr p) tO)) 

()) 

(phist p tO))) 

(prove-lemma whist-select-wave (rewrite) 
(implies (equal (phistl ’list pi tO) 
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(phi st $ 'list p2 tO)) 

(equal (equal (whist (select-wave z subouts pi) to) 

(whist (select-wave z subouts p2) tO)) 
t))> 

(prove-lermna phist-select-packet (rewrite) 

(implies (equal (phist! 'list pi tO) 

(phist$ 'list p2 tO)) 

(equal (equal (phist (select-packet souts subouts pi) tO) 
(phist (select-packet souts subouts p2) tO)) 
t)» 

(prove -lemma phistl-outpl (rewrite) 

(implies (equal (bhist$ flag bl a tO) (bhist! flag b2 m tO)) 
(equal (equal (phist! flag (outp! flag m bl) tO) 

(phist! flag (outpl flag m b2) tO)) 
t))) 

(prove-lemma history-outp-submodules (rewrite) 

(implies (and (structp m) 

(equal (bhist bl m tO) 

(bhist b2 m tO))) 

(equal (equal (phist! 'list (outpl 'list (s m) bl) tO) 
(phist! 'list (outpl 'list (s m) b2) tO)) 
t))) 

(prove-lemma phist-input-packet (rewrite) 

(implies (and (structp m) 

(equal (bhist bl m tO) 

(bhist b2 m tO)) 

(equal (phist pi tO) 

(phist p2 tO))) 

(equal (equal (phist (input-packet ins pi bl m) tO) 

(phist (input-packet ins p2 b2 m) tO)) 

t))) 

(prove-lemma phistl-input-packets (rewrite) 

(implies (and (structp m) 

(equal (bhist bl m tO) 

(bhist b2 m tO)) 

(equal (phist pi to) 

(phist p2 tO))) 

(equal (equal (phist! 'list (input-packets li pi bl m) tO) 
(phist! 'list (input-packets li p2 b2 m) tO)) 
t)) 

((disable input-packet) 

(induct (input-packets li inp s m)))) 

(prove-lemma phiat!-inps-2 (rewrite) 

(implies (and (structp m) 

(equal (phist! flag pi tO) 

(phist! flag p2 tO)) 

(not (equal flag 'list))) 

(equal (equal (phist! 'list (inps m pi b) tO) 

(phist! 'list (inps m p2 b) tO)) 
t))) 

(prove-lemma whist-wnewp (rewrite) 

(implies (and (wnewp wl tO) 
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(equal (whist wl tO) (whist w2 tO))) 

(wnewp w2 tO))) 

(defn list-2-induct (x y) 

(if (listp x) 

(list-2-induct (cdr x) (cdr y)) 
t)) 

(prove-lemma phist-pnewp (rewrite) 

(implies (and (pnewp pi tO) 

(equal (phist pi tO) (phiat p2 tO))) 

(pnewp p2 tO)) 

((induct (list-2-induct pi p2)))) 

(prove-lemma pval-phist () 

(equal (pval (phist p tO) tO) 

(pval p tO))) 

(prove-lemma equal-phist-pval (rewrite) 

(implies (equal (phist pi tO) (phist p2 tO)) 

(equal (equal (pval pi tO) (pval p2 tO)) 
t)) 

((use (pval-phist (p pi)) (pval-phist (p p2))))) 

(defn sn-induct (flag m b pi p2) 

(if (equal flag ’list) 

(if (listp m) 

(and (sn-induct t (car m) (car b) (car pi) (car p2)) 

(sn-induct flag (cdr m) (cdr b) (cdr pi) (cdr p2))) 

(if (structp m) 

(sn-induct 'list (s m) b (inps m pi b) (inps m p2 b)) 

t ) ) ) 

(prove-lemma step-nonpred-1 () 

(implies (and (modulep$ flag m) 

(bundlepl flag b m) 

(equal (phist$ flag pi tO) (phist$ flag p2 tO))) 

(equal (step! flag m pi b tO) (step$ flag m p2 b tO))) 

((disable exec) 

(induct (sn-induct flag m b pi p2)))) 

;; Unlike EXEC, STEP depends in general on the history (and not merely 
; ;the current values) of the input. However, STEP is "nonpredictive* 1 , 
;;i,e., independent of future input: 

(prove-lemma step-nonpredictive (rewrite) 

(implies (and (modulep m) 

(bundlep b m) 

(equal (phist pi tO) (phist p2 tO))) 

(equal (equal (step m pi b tO) (step m p2 b tO)) 
t)) 

((use (step-nonpred-1 (flag t))))) 

;;INPACKETP tests whether P is a valid input packet for M: 

(defn inpacketp (p m) 

(packetp p (length (i m)))) 
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(defn inpacketp! (flag p m) 

(if (equal flag ’list) 

(if (listp m) 

(and (inpacketp (car p) (car m)) 

(inpacketp! ’list (cdr p) (cdr m))) 
t) 

(inpacketp pm))) 

(prove-lemma wavep-lookup (rewrite) 

(implies (and (packetp w n) 

(equal (length v) n) 

(member z v)) 

(wavep (lookup z v v)))) 

(defn packetp! (flag p n) 

(if (equal flag ’list) 

(if (listp n) 

(and (packetp (car p) (car n)) 

(packetp$ ’list (cdr p) (cdr n))) 
t) 

(packetp p n))) 

(defn length! (flag 1) 

(if (equal flag ’list) 

(if (listp 1) 

(cons (length (car 1)) (length! ’list (cdr 1))) 

()) 

(length 1))) 

(prove-lemma vavep-select-vave (rewrite) 

(implies (and (packetp! ’list p ns) 

(equal (length! ’list subouts) ns) 

(appears z subouts)) 

(wavep (select-wave z subouts p)))) 

(prove-lemma packetp!-select-packet (rewrite) 
(implies (and (packetp! ’list p ns) 

(equal (length! ’list subouts) ns) 

(all-appear souts subouts)) 

(packetp (select-packet souts subouts p) 
(length souts)))) 

(defn no! (flag mod) 

(if (equal flag 'list) 

(if (listp mod) 

(cons (no (car mod)) 

(no! ’list (cdr mod))) 

0) 

(no mod))) 

(prove-lemma match-outputs-length! (rewrite) 
(implies (and (match-outputs x y) 

(equal (length x) (length y))) 

(equal (length! ’list x) (no! ’list y)))) 

(prove-lemma packetp-output-packet-1 (rewrite) 
(implies (and (packetp! 'list 
(outp! 'list s (s mod)) 

(no! 'list (s mod))) 
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(structp mod) 

(aodulep mod)) 

(packetp (select-packet (o mod) 

(lo mod) 

(outp! 'list s (s mod))) 

(no mod)))) 

(prove- lemma packetp$-outp! (rewrite) 

(implies (and (modulep! flag m) 

(bundlep! flag b m)) 

(packetp! flag 
(outp$ flag m b) 

(no! flag m))) 

((disable packetp))) 

(prove-lemma packetp$-outp$-liat (rewrite) 

(implies (and (structp mod) 

(modulep mod) 

(bundlep b mod)) 

(packetp$ ’list 

(outp$ ’list (s mod) b) 

(no$ ’list (s mod))))) 

(prove-lemma packetp-length (rewrite) 

(implies (packetp p n) 

(packetp p (length p)))) 

(prove-lemma packetp$-cons-inp-outs (rewrite) 
(implies (and (structp m) 

(modulep m) 

(bundlep b m) 

(inpacketp pm)) 

(packetp! ’list 

(cons p (outp! ’list (s m) b)) 

(cons (length p) (length! ’list (lo m))))) 
((disable bundlep))) 

(prove-lemma packetp!-select-packet-2 (rewrite) 
(implies (and (packetp! ’list p (length! 'list p)) 
(equal (length! 'list subouts) (length! 'list p)) 
(all-appear souts subouts)) 

(packetp (select-packet souts subouts p) 

(length souts)))) 

(prove-lemma length-select-packet (rewrite) 

(equal (length (select-packet x y z)) 

(length x))) 

(prove-lemma length-packet (rewrite) 

(implies (packetp p n) 

(equal (length p) (fix n)))) 

(prove-lemma length-outp (rewrite) 

(implies (and (bundlep b m) 

(modulep m)) 

(equal (length (outp! t m b)) 

(no m))) 

((expand (outp! t m b)))) 
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(prove-lemma lengthS-outp! (rewrite) 

(implies (and (bundlep! flag b m) 

(modulep! flag m)) 

(equal (length$ flag (outp$ flag mb)) 

(no! flag m)))) 

(prove-lemma length- lo () 

(implies (and (modulep m) 

(structp m)) 

(equal (no$ ’list (s m)) 

(length! 'list (lo m))))) 

(prove-lemma packetp- input -packet (rewrite) 

(implies (and (structp m) 

(modulep m) 

(bundlep b m) 

(inpacketp p m) 

(all-appear ins (cons (i m) (lo m)))) 

(packetp (input-packet ins p b m) (length ins))) 
((disable packetpS length-packet) 

(use (length-lo) 

(length-packet (n (length (i m))))) 

(expand (bundlepl t b m)))) 


(prove-lemma packetsp-input-packets (rewrite) 
(implies (and (structp m) 

(modulep m) 

(bundlep b m) 

(inpacketp p m) 

(lists-all-appear li (cons (i m) (lo m)))) 
(packetpS 'list 

(input -packet s 11 p b m) 

(lengths ’list li))) 

((disable input-packet) 

(induct (input-packets li p b m)))) 

(defn nil (flag m) 

(if (equal flag ’list) 

(if (listp m) 

(cons (ni (car m)) 

(nil ’list (cdr m))) 

()) 

(ni m))) 

(prove-lemma inpacketpS-packetpS () 

(equal (inpacketp! ’list p s) 

(packetpS ’list p (ni$ 'list s)))) 

(prove-lemma match- inputs -length! (rewrite) 
(implies (and (match- inputs x y) 

(equal (length x) (length y))) 

(equal (lengths ’list x) (nil ’list y)))) 

(prove-lemma packetp$-li () 

(implies (and (modulep m) 

(structp m)) 

(equal (inpacketp! ’list p (s m)) 

(packetpS ’list p (length! ’list (li m))))) 
((use (inpacketpS-packetpS (s (s ■>»))) 
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(prove-lemma inpacketp$-inps (rewrite) 
(implies (and (structp m) 

(modulep m) 

(bundlep b m) 

(inpacketp pa)) 

(inpacketp! 'list (inps m p b) (am))) 
((expand (modulep! t m)) 

(disable match-inputs-length$) 

(uae (packetp$-li (p (inpa a p b)))))) 

(prove-lemma bundlep$-atep$ () 

(implies (and (modulep$ flag a) 
(inpacketp$ flag p a) 

(bundlep! flag b m)) 

(bundlep! flag (step! flag a p b tO) a)) 
((disable exec check-behav inpa))) 


■ ; Under normal conditions, STEP always produces a valid bundle: 


(prove-lemma bundlep-atep (rewrite) 
(implies (and (modulep m) 
(inpacketp p m) 

(bundlep b m)) 

(bundlep (step m p b tO) m)) 

((use (bundlepS-step! (flag t))))) 


; *•****+★************ 


SIMULATION 


; **** ******* + ******* 


(prove-lemma whist-whist () 

(implies (leq to tl) 

(equal (whist w tO) 

(whist (whist w tl) tO)))) 

(prove-lemma equal-whist-leq (rewrite) 

(implies (and (equal (whist wl tl) (whist w2 tl)) 

(leq tO tl)) 

(equal (equal (whist wl tO) (whist w2 tO)) 
t)) 

((use (whist-whist (w wl)) (whist-whist (w w2))))) 

(prove-lemma equal-phist-leq (rewrite) 

(implies (and (equal (phist bl tl) (phist b2 tl)) 

(leq tO tl)) 

(equal (equal (phist bl tO) (phist b2 tO)) 
t)) 

((induct (list-2-induct bl b2)))) 

(prove-lemma equal-bhist$-leq () 

(implies (and (equal (bhist! flag bl m tl) (bhist! flag b2 m tl)) 
(leq tO tl)) 

(equal (bhist! flag bl m tO) (bhist$ flag b2 m tO)))) 

(prove-lemma equal-bhist-leq (rewrite) 

(implies (and (equal (bhist bl m tl) (bhist b2 m tl)) 

(leq tO tl)) 
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(equal (equal (bhist bl m tO) (bhiat b2 m tO)) 
t)) 

((uae (equal-bhist$-leq (flag t))))) 

; ;RUN ia "nonretroactive", i.e., doe# not alter the hiatory of the 
;;bundle B w.r.t. the initial time TO: 

(prove-lemma run- nonretroactive (rewrite) 

(implies (and (modulep o) 

(bundlep b m) 

( inpacket p pm)) 

(equal (bhiat (run m p b tO tf) m tO) 

(bhiat b m tO))) 

((disable step bundlep modulep inpacketp bhiat))) 

(prove-lemma tnextw-tnextw (rewrite) 

(implies (and (lesap tp (tnextw w tO)) 

(wavep w) 

(leq tO tp)) 

(equal (tnextw w tp) (tnextw w tO)))) 

(prove-lemma leq-tnextw-cdar (rewrite) 

(implies (and (wavep w) 

(lesap tO (cdar w))) 

(not (lessp (cdar w) (tnextw w tO))))) 

(prove-lemma tnextw-tnextw-2 (rewrite) 

(implies (and (tnextw w tp) 

(wavep w) 

(leq tO tp)) 

(not (lessp (tnextw w tp) (tnextw w tO) )))) 

(prove-lemma tnextp-true (rewrite) 

(implies (and (not (lessp tp tO)) 

(tnextp p tp)) 

(tnextp p tO))) 

(prove-lemma tnextw-true (rewrite) 

(implies (and (not (lessp tp tO)) 

(tnextw w tp)) 

(tnextw w tO))) 

(prove-lemma tnextp-tnextp (rewrite) 

(implies (and (packetp p n) 

(lessp tp (tnextp p tO)) 

(leq tO tp)) 

(equal (tnextp p tp) (tnextp p tO))) 

((disable tnextw wavep))) 

(prove-lemma tnextb$-true (rewrite) 

(implies (and (not (lessp tp tO)) 

(tnextb$ flag b m tp)) 

(tnextb! flag b m tO))) 

(prove-lemma tnextb$-tnextb$ (rewrite) 

(implies (and (modulep! flag m) 

(bundlep! flag b m) 

(lesap tp (tnextb! flag b m tO)) 

(leq tO tp)) 
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(equal (tnextbl flag b m tp) (tnextb$ flag b m tO)))) 

(prove-lemma lessp-emin () 

(implies (and x y (lessp o (emin x y))) 

(and (lessp m x) (lessp m y)))) 

(prove-lemma tnext-tnext (rewrite) 

(implies (and (raodulep m) 

(bundlep b m) 

(inpacketp p m) 

(lessp tp (tnext tO p b m)) 

(leq tO tp)) 

(equal (tnext tp p b m) (tnext tO p b m))) 

((use (lessp-emin (x (tnextb$ t b m tO)) (y (tnextp p tO)) (m tp))))) 

(prove-lemma tnext-true (rewrite) 

(implies (and (not (lessp tp tO)) 

(tnext tp p b n)) 

(tnext tO p b m))) 


;;This lemma provides for the decomposition of a simulation interval 
I ;into two subintervals: 

(prove-lemma run-run () 

(implies (and (modulep m) 

(bundlep b m) 

(inpacketp p m) 

(leq tO tp) (leq tp tf)) 

(equal (run m p b tO tf) 

(run m p (run m p b tO tp) tp tf))) 

((disable step tnext bundlep modulep) 

(induct (run m p b tO tf)) 

(expand (run in p b tp tf) (run m p b tO tp)))) 

; ; Under normal conditions, RUN always produces a valid bundle: 

(prove-lemma bundlep-run (rewrite) 

(implies (and (modulep m) 

(inpacketp p m) 

(bundlep b m)) 

(bundlep (run m p b tO tf) m)) 

((disable modulep bundlep step inpacketp tnext))) 


C Synchronous Sequential Circuits 


COMBINATIONAL MODULES 

********* ******************** 


;;We begin with the relatively simple class of "combinational" modules. 
;;The definition of this class depends on a function SLEVEL$$, which 
; ; computes the maximum length from any input signal to a given signal 
;;of an arbitrary module. The definition of SLEVEL$$ is difficult to 
* ; establish for two reasons: (1) we allow arbitrarily deep hierarchical 
* ; module definitions, and (2) the desired maximum path length may not exist 
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the signal may lie on a structural loop, which must be effectively 
; ; detected. 

(defn unionl (1) 

(if (listp 1) 

(union (car 1) (unionl (cdr 1))) 

())) 

(defn signalB (mod) 

(unionl (cons (i mod) (lo mod)))) 

(defn delete (x 1) 

(if (listp 1) 

(if (equal x (car 1)) 

(cdr 1) 

(cons (car 1) (delete x (cdr 1)))) 

D) 

(defn subbagp (1 m) 

(if (listp 1) 

(and (member (car 1) m) 

(subbagp (cdr 1) (delete (car 1) m))) 
t)) 

(defn subsetp (1 m) 

(if (listp 1) 

(and (member (car 1) m) 

(subsetp (cdr 1) m)) 
t)) 

(prove-lemma length-delete (rewrite) 

(implies (member x 1) 

(equal (length (delete x 1)) 

(sub! (length 1))))) 

(prove-lemma member-delete (rewrite) 

(implies (and (member x 1) 

(not (equal x y))) 

(member x (delete y 1)))) 

(prove-lemma lessp-length-subbagp () 

(implies (and (subbagp 1 m) 

(member x m) 

(not (member x 1))) 

(lessp (length 1) (length m)))) 

(prove-lemma subsetp-delete (rewrite) 

(implies (and (subsetp 1 m) 

(not (member x 1))) 

(subsetp 1 (delete x m)))) 

(prove-lemma subsetp- subbagp (rewrite) 

(implies (and (distinct-symbols 1) 

(subsetp 1 m)) 

(subbagp 1 m)) 

((induct (subbagp 1 m)))) 

(prove-lemma lessp-length-subset (rewrite) 

(implies (and (subsetp 1 m) 
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(distinct-symbols 1) 

(member x m) 

(not (member x 1))) 

(lessp (length 1) (length m))) 

((use (lessp-length-subbagp) ))) 

(defn index (s lo) 

(if (listp lo) 

(if (member s (car lo)) 

0 

(addl (index a (cdr lo)))) 

f)) 

(defn slevel$$ (flag out m bad q) 

;(SLEVEL$$ T OUT M.() Q) is the length of the longest path to OUT that does not 
;pass through any of the first Q submodules of M 
(if (equal flag ’list) 

(if (listp out) 

(emax (slevel$$ t (car out) m bad q) 

(slevelSS ’list (cdr out) m bad q)) 

0 ) 

(if (or (member out (i m)) 

(lessp (index out (lo m)) q) ) 

0 

(if (and (not (member out bad)) 

(distinct-symbols bad) 

(member out (signals m)) 

(subaetp bad (signals m))) 

f))) addl ^ 8leVel * $ * list ^ find ” li out n) m (cons out bad) q)) 

((ord-lessp (lex (list (difference (length (signals m)) (length bad)) 

(count out)))))) 


; ; SDEPTH returns the maximum $LEVEL$$ of all signals of M: 

(defn sdepth (m q) 

(slevel$$ J list (signals m) m () q)) 

;;The final argument of SLEVEL$$ will be relevant to our analyst* of 
;;sequential modules. For the present purpose, we take It to be 0. 
;;We may now define "combinational module": 

(defn combp$ (flag m) 

(if (equal flag ’list) 

(if (listp m) 

(and (combp$ t (car m)) 

(combp$ 'list (cdr m))) 
t) 

(if (modulep m) 

(case (type m) 

(struct (and (sdepth m 0) (combp$ ’list (s m)))) 

(behav t) 

(otherwise f)) 
f))) 

(defn combp (m) (combpl t m)) 

;;Now that SLEVEL$$ has been defined, we may use it to define a simpler 
aversion, SLEVELS, which will be easier to use. The purpose of this 
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; function is to provide a recursion scheme for various functions 
; ;pertaining to combinational and sequential modules. 

; ;The definition will take some work: 

(prove-lemma member-slevel$$ (rewrite) 

(implies (and (member si) 

(slevelSS ’list 1 m bad q)) 

(slevelSS t s m bad q))) 

(prove-lemma subsetp-slevelSS (rewrite) 

(implies (and (subsetp s 1) 

(slevelSS ’list 1 m bad q)) 

(slevel$$ ’list s m bad q))) 

(prove-lemma signal$-slevel$S (rewrite) 

(implies (and (sdepth m q) (subsetp s (signals m))) 

(slevelll ’list s m () q)) 

((use (subsetp-slevelSS (1 (signals m)) (bad ()))))) 

(prove-lemma leq-slevelSS-cdr (rewrite) 

(implies (and (sdepth m q) (listp s) (subsetp s (signals m))) 
(equal (lessp (slevelSS 'list s m () q) 

(slevelSS 'list (cdr s) m () q)) 
f)) 

((use (signals-slevelSS)) 

(expand (slevelSS 'list s m () q)))) 

(prove-lemma leq-slevelSS-car (rewrite) 

(implies (and (sdepth m q) (listp s) (subsetp s (signals m))) 
(equal (lessp (slevelSS 'list s m () q) 

(slevelSS t (car s) m () q)) 
f>) 

((use (signals-slevelSS)) 

(expand (slevelSS 'list s m 0 q)))) 


(defn ss-induct (flag s m badl bad2 q) 

(if (equal flag ’list) 

(if (listp s) 

(and (ss-induct t (car s) m badl bad2 q) 

(ss-induct 'list (cdr s) m badl bad2 q)) 
t) 

(if (or (member s (i m)) 

(lessp (index s (lo m)) q)) 
t 

(if (and (not (member s bad2)) 

(distinct-symbols bad2) 

(member s (signals m)) 

(subsetp bad2 (signals ra))) 

(ss-induct ’list (find-li s m) m (cons s badl) (cons s bad2) q) 

t») 

((ord-lessp (lex (list (difference (length (signals m)) (length bad2)) 
(count s)))))) 

(defn sublistp (1 ra) 

(if (listp 1) 

(if (listp m) 

(if (equal (car 1) (car m)) 

(sublistp (cdr 1) (cdr m)) 
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(aubliatp 1 (cdr m))) 
f) 

t)) 

(prove-lemma diatinct-symbola-aubliatp (rewrite) 

(implies (and (distinct-symbols m) 

(aubliatp 1 m)) 

(diatinct-symbola 1))) 

(prove-lemma aubliatp-aubaetp (rewrite) 

(impliea (and (aubliatp 1 m) 

(aubaetp m p)) 

(subaetp 1 p))) 

(prove-lenana sublistp*member (rewrite) 

(impliea (and (aubliatp 1 a) 

(member x 1)) 

(member x m))) 

(disable sublistp-member) 

(prove-lemma slevelS$-subliatp () 

(implies (and (alevel$$ flag a m bad2 q) 

(sublistp badl bad2)) 

(equal (slevel$$ flag s m badl q) 

(slevel$$ flag a m bad2 q))) 

((induct (ss-induct flag s m badl bad2 q)) 

(enable sublistp-member))) 

(prove-lemma slevel$$-nil (rewrite) 

(impliea (alevelS$ flag a m (list b) q) 

(equal (slevel$$ flag s m (list b) q) 

(slevel$$ flag s m () q))) 

((use ( a level$$- aubliatp (badl ()) (bad2 (list b)))))) 

(prove-lemma slevel$$-liat-find-li (rewrite) 

(impliea (and (sdepth a q) 

(member s (signals m)) 

(not (member s (i m))) 

(not (leasp (index a (lo m)) q))) 

(slevel$$ 'list (lookupl s (lo m) (li m)) m (list a) q)) 

((use (member-sieve 1$$ (1 (signals m)) (bad ()))) 

(disable member-alevellS))) 

(prove-lemma slevel$$-list-f ind-li-nil (rewrite) 

(impliea (and (sdepth m q) 

(member a (signals m)) 

(not (member s (i m))) 

(not (leasp (index a (lo m)) q))) 

(alevel$$ 'list (lookupl s (lo m) (li m)) m () q)) 

((use (a level$$- list -f ind-li)))) 

(prove-lemma leasp-slevel$$-f ind-li (rewrite) 

(impliea (and (sdepth m q) 

(not (equal flag 'list)) 

(member a (signals m)) 

(not (member a (i m))) 

(not (lessp (index a (lo m)) q))) 

(equal (lessp (slevel$$ 'list (lookupl s (lo m) (li m)) m () q) 
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(slevell! flag a m () q)) 
t)) 

((expand (slevell! flag a m () q)))) 

(defn slevell (flag s m q) 

(if (sdepth m q) 

(if (equal flag 'list) 

(if (aubsetp s (signals m)) 

(if (listp a) 

(max (slevell t (car s) m q) 

(slevell 'list (cdr s) m q)) 

0 ) 

f) 

(if (member s (signals m)) 

(if (or (member s (i m)) 

(lessp (index s (lo m)) q)) 

0 

(addl (slevell ’list (find-li s m) m q))) 
f)) 
f) 

((ord-lessp (lex (list (slevell! flag s m 0 q) (count s)))))) 

(prove-lemma leq-slevell-cdr (rewrite) 

(implies (and (sdepth m q) (listp s) (aubsetp s (signals m))) 
(equal (lessp (slevell ’list a m q) 

(slevell ’list (cdr s) m q)) 
f))) 

(prove-lemma leq-slevell-car (rewrite) 

(implies (and (sdepth m q) (listp s) (aubsetp s (signals m))) 
(equal (lessp (slevell ’list s m q) 

(slevell t (car a) m q)) 

f))) 

(prove-lemma lessp-slevell-f ind-li (rewrite) 

(implies (and (sdepth m q) 

(not (equal flag ’list)) 

(member s (signals m)) 

(not (member s (i m))) 

(not (lessp (index s (lo m)) q))) 

(equal (lessp (slevell 'list (lookupl s (lo m) (li m)) m q) 
(slevell flag s m q)) 
t))) 

(prove-lenma combp-sdepth (rewrite) 

(implies (and (structp m) (combp m)) 

(sdepth m 0))) 

(prove -lemma lessp-count-lookup (rewrite) 

(implies (lessp (count s) (count m)) 

(equal (lessp (count (lookupl x y s)) (count m)) 
t))) 

; ;CVECP determines whether V is a valid input vector for M: 

(defn cvecp (v m) 

(bvpn v (ni m))) 

IlEach signal of a combinational module is naturally associated 
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;;vith a certain Boolean function of the inputs. This function 
;;is computed as follows: 

(defn cv$ (flag s v o) 

(if (equal flag 'list) 

(if (and (combp m) (structp m) (subsetp s (signals m))) 

(if (listp s) 

(cons (cv$ t (car s) v m) 

(cv$ ’list (cdr s) v m)) 

(» 

f) 

(if (behavp m) 

(aval (lookup s (o m) (r m)) (pairlist (i a) v)) 

(if (and (combp m) (member s (signals m))) 

(if (and (structp m) (member s (signals m))> 

(if (member s (i m)) 

(lookup s (i m) v) 

(cv$ t 

(find-o s m) 

(cv$ ’list (find-li s m) v m) 

(find-s s m))) 
f) 

f))) 

((ord-lessp (lex (list (count m) (slevell flag s m 0) (count s)))))) 

(defn cv (s v m) 

(cv$ t s v m)) 

; ;Each signal S of a combinational module M is associated with 
;;a maximum and a minimum delay, which represent the range of total 
; {delays along all paths connecting the inputs of M to S: 

(defn dcmin$ (flag s m) 

(if (equal flag ’list) 

(if (and (combp m) (structp m) (subsetp s (signals m))) 

(if (listp s) 

(emin (dcmin$ t (car s) m) 

(dcmin$ ’list (cdr s) m)) 
f) 
f) 

(if (behavp m) 

(lookup s (o m) (dm)) 

(if (and (combp m) (member s (signals m))) 

(if (and (structp m) (member s (signals m))) 

(if (member s (i m)) 

0 

(eplus (dcminl t (find-o s m) (find-s s m)) 

(dcminl ’list (find-li s m) m))) 
f) 

f))) 

((ord-lessp (lex (list (count m) (slevell flag s m 0) (count a)))))) 

(defn dcmin (s m) (dcminl t s m)) 

(defn dcmax$ (flag s m) 

(if (equal flag 'list) 

(if (and (combp m) (structp m) (subsetp s (signals m))) 

(if (listp s) 

(emax (dcmax$ t (car s) m) 
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(dcmaxl 'list (cdr s) m)) 

0 ) 

f) 

(if (behavp m) 

(lookup a (o m) (d m)) 

(if (and (combp m) (member b (signals m))) 

(if (and (atructp m) (member a (signals a))) 

(if (member a (i m)) 

0 

(eplua (dcmaxl t (find-o a m) (find-s am)) 

(dcmaxl ’list (find-li a m) m))) 
f) 

f))) 

((ord-lesap (lex (liat (count m) (alevell flag a m 0) (count a)))))) 
(defn dcmax (a m) (dcmaxl t a m)) 


. . *********************************************************************** 

|| SEQUENTIAL MODULES 

. j *********************************************************************** 

;;We ahall define a class of synchronous sequential circuits, using the 
; ; flip-flop DFF as the primitive state-holding device. The recursive 
; definition will require that for some Q > 0, the first Q submodules 
; ;of a sequential module M (other than DFF) are sequential and the rest 
; jare all combinational. For any module M, we define the parameter 
; ; (Q M) as follows : 

(defn q$ (mods) 

(if (liatp mods) 

(if (combp (car mods)) 

0 

(addl (ql (cdr mods)))) 

0 )) 

(defn q (m) 

(ql (am))) 

(prove-lemma leq-ql () 

(leq (ql a) (length s))) 

(prove-lemma lessp-count-f iratn () 

(implies (and (plistp 1) (leq q (length 1))) 

(leq (count (firstn q 1)) (count 1))) 

((induct (firstn q 1)))) 

(prove-lemma lessp-count-f irst-q (rewrite) 

(implies (and (modulep m) (atructp m)) 

(equal (lessp (count (firstn (ql (s m)) (s m))) 

(count m)) 
t)) 

((use (lessp-count-f iratn (q (q m)) (1 (s m))) 

(leaap-count-aubmodules) 

(leq-ql (a (s m)))) 

(disable leasp-count-submodules))) 

;;A path is “combinational" if it passes through only combinational 
;; components. A signal ia ’’native' 1 if it is not connected to any 
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* ;global input by a combination path: 

(defn nativepl (flag a m) 

(if (sdepth m (q m)) 

(if (equal flag ’list) 

(if (subsetp a (signals m)) 

(if (liatp a) 

(and (nativepl t (car a) m) 

(nativepl ’list (cdr a) m)) 
t) 

f) 

(if (equal m (dff)) 

(member a (o m)) 

(if (member a (signals m)) 

(if (member a (i m)) 
f 

(if (lessp (index a (lo m)) (q m)) 
t 

(nativepl ’list (find-li s m) m))) 
f))) 
f) 

((ord-lessp (lex (list (slevell flag s m (q m)) (count s)))))) 

(defn nativep (s m) (nativepl t a m)) 

(defn check-seq-li (elk rat li) 

(if (liatp li) 

(and (equal elk (caar li)) 

(equal rat (cadar li)) 

(not (member elk (eddar li))) 

(not (member rst (eddar li))) 

(check-seq-li elk rat (cdr li))) 
t)) 

(defn check-comb-li (elk rat li) 

(if (liatp li) 

(and (not (member elk (car li))) 

(not (member rat (car li))) 

(check-comb-li elk rst (cdr li))) 
t)) 

;;A sequential module other than DFF has Q sequential submodules, Q > 0, 

;;with the rest combinational. It has at least two inputs. The first 
;;and aecong inputs are by convention the clock and the reset. The clock 
;;(resp., reset) is connected the the clock (reap., reset) input of each 
; ; sequential submodule, and not to any other submodule input. No combinational 
’ ; loops are permitted. Finally, all outputs are required to be native signals: 

(defn seqpt (flag m) 

(if (equal flag ’list) 

(if (liatp m) 

(and (aeqpl t (car m)) 

(seqpl ’list (cdr m))) 
t) 

(if (and (modulep m) (structp m)) 

(or (equal m (dff)) 

(and (geq (ni m) 2) 

(not (zerop (q m))) 

(seqpl 'list (firstn (q m) (a m))) 
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(check-seq-li (car (i m)) (cadr (i m)) (firstn (q a) (li m))) 
(check-comb-li (car (i m)) (cadr (i m)) (cdra (q a) (li m))) 

(sdepth m (q m)) 

(nativepS 'list (o m) a))) 
f)> 

( (lessp (count m)))) 

(defn seqp (a) (seqpS t a)) 

(prove-lemma lessp-count-car-s (rewrite) 

(iapliea (structp a) 

(equal (leaap (count (car (a a))) (count a)) 
t)) 

((uae (lessp-count-submodules)) 

(diaable lessp-count-submodules))) 

(prove-lemma modulep-seqp (rewrite) 

(iapliea (aeqp a) 

(modulepS t a))) 

(prove-leama seqp-sdepth (rewrite) 

(iapliea (and (aeqp a) (not (equal m (dff)))) 

(sdepth a (q$ (s m)))) 

((disable sdepth dff q$))) 

(prove-lemma aeqp-structp (rewrite) 

(implies (seqp m) (equal (type m) 'struct))) 

;;A native signal S of H is ''registered" if either (a) M » DFF and S is an 
;; output of M, or (b) H <> DFF and S is associated with a registered output 
;;of a sequential submodule of M: 

(defn regp (s a) 

(if (seqp m) 

(if (equal m (dff)) 

(member s (o a)) 

(and (lessp (index s (lo m)) (q m)) 

(regp (find-o s m) (find-s s m)))) 
f)) 

;;A "state" of a sequential module is a srtructure that associates a 
;;Boolean value with each flip-flop: 

(defn statepS (flag state a) 

(if (equal flag 'list) 

(if (listp a) 

(and (statepS t (car state) (car m)) 

(statepS 'list (cdr state) (cdr a))) 

(equal state ())) 

(if (and (modulep a) (structp m)) 

(if (equal m (dff)) 

(boolp state) 

(if (equal (q m) 1) 

(statepS t state (car (s m))) 

(statepS 'list state (firstn (q m) (s a))))) 
f))) 

(defn statep (state m) 

(statepS t state a)) 
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(defn find-state (s state m) 

(if (equal (q m) 1) 
state 

(lookupl s (lo a) state))) 

(disable sdepth) 

;;* state determines a "resultant value" for each native signal: 

(defn rv$ (flag s state m) 

(if (aeqp m) 

(if (equal flag 'list) 

(if (and (subsetp s (signals m)) (not (equal a (dff)))) 

(if (listp s) 

(cons (rv$ t (car s) state m) 

(rv$ 'list (cdr s) state a)) 

O) 

f) 

(if (member s (signals m)) 

(if (member s (i m)) 
f 

(if (equal m (dff)) 

(if (equal s ’q) state (not state)) 

(if (lessp (index s (lo m)) (q a)) 

(rv$ t (find-o s m) (find-state s state m) (find-s s m)) 

(cv (find-o s m) (rv$ 'list (find-li s m) state m) (find-s s m))))) 

f) 

((ord-lessp (lex (list (count m) (sleval$ flag s m (q m)) (count s)))))) 
(defn rv (s state m) (rv$ t s state a)) 

;;A "data vector" associates a Boolean value with each data input: 

(defn svecp (x m) 

(bvpn x (difference (ni m) 2))) 

state and a data vector determine a "sequential value" for each signal 
;; (other than the clock and reset inputs): 


(defn svS (flag s v state m) 

(if (seqp m) 

(if (equal flag 'list) 

(if (and (subsetp s (signals m)) (not (equal a (dff)))) 

(if (listp s) 

(cons ( sv$ t (car s) v state m) 

(sv$ 'list (cdr a) v state m)) 

<» 

f) 

(if (member a (signals m)) 

(if (member s (i m)) 

(lookup s (cddr (i m)) v) 

(if (or (equal m (dff)) 

(lessp (index s (lo m)) (q m))) 

(rv s state m) 

(cv^ (find-o * li8t ® a) v state m) (find-s s m)))) 

f) 
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((ord-lessp (lex (list (alevel$ flag s m (q n)) (count s)))))) 

(defn sv (s v state m) 

(sv$ t s v state m)) 

(defn svl (li v state m) 

(svl 'list (cddr li) v state m)) 

(defn svll (s v state a) 

(if (listp s) 

(cons ( svl (car a) v state a) 

(svll (cdr s) v state m)) 

())) 

; ;NEXT coaputes a new state froa a state and a data vector: 

(defn next! (flag v state a) 

(if (equal flag 'list) 

(if (listp m) 

(cons (next! t (car v) (car state) (car a)) 

(next$ 'list (cdr v) (cdr state) (cdr m))) 

()) 

(if (seqp m) 

(if (equal a (dff)) 

(car v) 

(if (equal (q m) 1) 

(next) t (svl (car (li a)) v state a) state (car (s m))) 
(next$ 'list 

(svll (firstn (q m) (li m) ) v state m) 
state 

(firstn (q m) (s m))))) 
f))) 

(defn next (v state m) 

(next$ t v state m)) 

— Each native signal is associated with a ainiaum and a 
;; maximum delay, which determine an interval during which the 
;;signal’s value may change following a rising edge: 

(defn dsmin$ (flag s m) 

(if (seqp m) 

(if (equal flag 'list) 

(if (and (subsetp s (signals m)) (not (equal a (dff)))) 

(if (listp s) 

(emin (dsmin$ t (car s) a) 

(dsminl 'list (cdr s) a)) 
f) 

f) 

(if (meaber s (signals m)) 

(if (member s (i m)) 

0 

(if (equal m (dff)) 

4000 

(if (lessp (index s (lo m)) (q m)) 

(dsainl t (find-o s a) (find-s s m)) 

(eplus (dcmin (find-o s a) (find-s s m)) 

(dsminl 'list (find-li s a) m))))) 
f)) 
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f) 

((ord-lessp (lex (list (count m) (slevel$ flag s m (q m>) (count s)))))) 

(defn dsmin (s m) (dsminl t a m)) 

(defn dsmaxl (flag s m) 

(if (seqp m) 

(if (equal flag 'list) 

(if (and (subsetp s (signals m)) (not (equal m (dff)))) 

(if (listp s) 

(emax (dsmaxl t (car s) m) 

(dsmaxl 'list (cdr s) m)) 

0 ) 

f) 

(if (member s (signals m)) 

(if (member s (i m)) 

0 

(if (equal m (dff)) 

6000 

(if (lessp (index s (lo m)) (q m)) 

(dsmaxl t (find-o s m) (find-s a m)) 

(eplus (dcmax (find-o s m) (find-s s m)) 

(dsmaxl 'list (find-li s m) m))))) 
f)) 
f) 

((ord-lessp (lex (list (count m) (slevell flag a m (q m)) (count s)))))) 
(defn dsmax (s m) (dsmaxl t s m)) 

;;The definition of "setup" times requires some work: 

(defn setup-comb (sigs setups m) 

(if (listp sigs) 

(if (zerop (car setups)) 

(setup-comb (cdr sigs) (cdr setups) m) 

(emax (eplus (dcmax (car sigs) m) (car setups)) 

(setup-comb (cdr sigs) (cdr setups) m))) 

0 )) 

(defn collect-i (s li i) 

(if (listp li) 

(if (equal s (car li)) 

(cons (car i) (collect-i s (cdr li) (cdr i))) 

(collect-i s (cdr li) (cdr i))) 

(») 

(defn collect-li (s li m) 

(if (listp li) 

(if (member s (car li)) 

(cons (collect-i s (car li) (i (car m))) 

(collect-li s (cdr li) (cdr a))) 

(collect-li s (cdr li) (cdr m))) 

())) 

(defn collect-lo (s li lo) 

(if (listp li) 

(if (member s (car li)) 

(cons (car lo) (collect-lo s (cdr li) (cdr lo))) 

(collect-lo s (cdr li) (cdr lo))) 
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())) 

(defn slevel (s m) 

(slevelS t s m (q m))) 

(defn smax (m) 

(slevelS ’list (signals m) m (q m))) 

(prove-lemma leq-slevel-member () 

(implies (and (subsetp 1 (signals a)) 

(member a 1)) 

(leq (slevelS t a m q) 

(slevelS 'list 1 m q)))) 

(prove-lemma subsetp-cdr (rewrite) 

(implies (subsetp 1 (cdr m)) 

(subsetp 1 m))) 

(prove-lemma subsetp-l-l (rewrite) 

(subsetp 1 1)) 

(prove-lemma leq-slevel-smax () 

(implies (member s (signals m)) 

(leq (slevel s m) (smax m))) 

((use (leq-slevel-member (1 (signals m)) (q (q m)))) 
(disable signals q slevelS))) 

(defn mO (a m) 

(addl (difference (smax m) (slevel s m)))) 

(defn ml (s m) 

(if (listp s) 

(max (mO (car s) m) 

(ml (cdr s) m)) 

0 )) 

(defn m4 (s m) 

(if (listp s) 

(max (ml (car s) m) 

(m4 (cdr s) m)) 

0 )) 

(defn setup-meas (flag s m) 

(case flag 
(0 (mO s m)) 

(1 (ml s m)) 

(3 (ml s m)) 

(4 (m4 s m)) 

(otherwise f))) 

(defn attachedp (x y i li lo) 

(if (zerop i) 

(and (member x (car li)) 

(member y (car lo))) 

(attachedp x y (subl i) (cdr li) (cdr lo)))) 

(prove-lemma member-union (rewrite) 

(implies (member x m) 

(member x (union 1 m)))) 
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(prove-lemma attached-unionl () 

(implies (attachedp x y i li lo) 

(member y (unionl lo)))) 

(prove - lemma attachedp-member-signals (rewrite) 

(implies (attachedp x y i (li m) (lo m)) 

(member y (signals »))) 

((use (attached-unionl (li (li m)) (lo (lo m)))))) 

(prove-lemma member-unionl-appears (rewrite) 

(implies (not (appears x lo.)) 

(not (member x (unionl lo))))) 

(prove-lemma none-appear-member-unionl () 

(implies (and (none-appear in lo) 

(member x (unionl lo))) 

(not (member x in)))) 

(prove-lemma attachedp-not-member-i (rewrite) 

(implies (and (attachedp x y i (li m) (lo m)) 

(check-struct m)) 

(not (member y (i m)))) 

((use (attached-unionl (li (li m)) (lo (lo m))) 
(none-appear-member-unionl (in (i m)) (lo (lo m)) (x y))))) 

(prove-lemma none-appear-not-attached (rewrite) 

(implies (and (member y car) 

(none-appear car cdr)) 

(not (attachedp x y i li cdr))) 

((use (attached-unionl (lo cdr)) 

(none-appear-member-unionl (in car) (lo cdr) (x y))))) 

(prove-lemma attachedp-index () 

(implies (and (attachedp x y i li lo) 

(all-distinct-symbols lo)) 

(equal (index y lo) (fix i)))) 

(prove-lemma attachedp-index-rewrite (rewrite) 

(implies (and (attachedp x y i (li m) (lo m)) 

(check-struct m)) 

(equal (index y (lo m» (fix i))) 

((use (attachedp-index (li (li m)) (lo (lo m)))))) 

(prove-lemma attachedp-meaber-lookupl () 

(implies (and (attachedp x y i li lo) 

(all-distinct-symbols lo)) 

(member x (lookupl y lo li)))) 

(prove-lemma attachedp-member-f ind-li (rewrite) 

(implies (and (attachedp x y i (li m) (lo m)) 

(check-struct m)) 

(member x (f ind-li y m))) 

((use (attachedp-member-lookupl (li (li m)) (lo (lo m)))))) 

(prove-lemma appears-member-unionl (rewrite) 

(implies (appears x 1) 

(member x (unionl 1)))) 
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(prove-lemma all-appear-subaetp-unionl (rewrite) 

(implies (all-appear li 1) 

(subsetp li (unionl 1)))) 

(prove-lemma subsetp-lookupl () 

(implies (lista-all- appear li 1) 

(subsetp (lookup! y lo li) (unionl 1)))) 

(prove-lemma subs etp-f ind-li (rewrite) 

(implies (check-struct m) 

(subsetp (f ind-li y m) (signals m))) 

((use (subsetp-lookupl (li (li m)) (lo (lo m)) (1 (cons (i m) (lo m))))))) 

(prove-lemma attached-lessp-slevell () 

(implies (and (sdepth m q) 

(modulep m) 

(structp m) 

(attachedp x y i (li m) (lo m)) 

(leq q i)) 

(lessp (slevell t x m q) 

(slevell t y m q))) 

((disable sdepth find-li signals index slevell check-struct attachedp) 

(use (leq-slevel-member (1 (find-li y m)) (ax)) 

(slevell (flag t) (s y))) 

(expand (modulepl t m)))) 

(prove-lemma lessp-mO () 

(implies (and (seqp m) 

(not (equal m (dff))) 

(attachedp x y i (li m) (lo m)) 

(leq (q m) i)) 

(lessp (mO y m) (mO x m))) 

((use (attached-lessp-slevell (q (q m))) 

(leq-slevel-smax (s y))) 

(disable modulep attachedp slevell sdepth smax q signals dff *l*dff))) 

(prove-lemma not-zerop-mO () 

(not (zerop (mO x m)))) 

(disable mO) 

(prove-lemma attachedp-alt () 

(implies (and (member x (car (edrn i li))) 

(member y (car (edrn i lo)))) 

(attachedp x y i li lo))) 

(prove-lemma lessp-mO-rewrite (rewrite) 

(implies (and (seqp m) 

(not (equal m (dff))) 

(leq (q m) i) 

(member x (car (edm i (li m)))) 

(member y (car (edrn i (lo m))))) 

(equal (lessp (mO y m) (mO x m)) t)) 

((use (lessp-nO) 

(attachedp-alt (li (li m)) (lo (lo m)))) 

(disable attachedp dff *i*dff seqp member q))) 

(prove-lemma lessp-ml () 

(implies (and (seqp m) 
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(not (equal m (dff))) 

(leq (q m) i) 

(member x (car (cdm i (li m)))) 

(aubsetp ys (car (cdrn i (lo m))))) 

(equal (leeap (ml ys a) (mO x m)) t)) 

((disable attachedp dff *l*dff seqp member q) 

(INDUCT (LENGTH YS)) 

(use (not-zerop-mO)))) 

(prove-lemma lessp-ml-mO (rewrite) 

(implies (and (seqp m) 

(not (equal m (dff))) 

(leq (q m) i) 

(member x (car (cdrn i (li m))))) 

(equal (lessp (ml (car (cdrn i (lo m))) m) 

(mO x m)) 
t)> 

((disable attachedp dff *l*dff seqp member q) 

(use (lessp-ml (ys (car (cdm i (lo m)))))))) 

(prove-lemma cdr-cdra (rewrite) 

(equal (cdr (cdm r 1)) (cdm (addl r) 1))) 

(defn lm4-induct (r m) 

(if (lessp r (length (li m))) 

(lm4- induct (addl r) m) 
t) 

((lessp (difference (length (li m)) r)))) 

(prove-lemma nlistp-cdm (rewrite) 

(implies (leq (length 1) n) 

(not (listp (cdm n 1))))) 

(prove-lemma lessp-m4 () 

(implies (and (seqp m) 

(not (equal m (dff))) 

(leq (q m) r) 

(leq r (length (li m)))) 

(equal (lessp (m4 (collect-lo s (cdm r (li m)) (cdm r (lo m))) m) 

(mO s m) ) 
t)> 

((disable dff *l*dff seqp q cdm ml) 

(induct (lm4-induct r m)) 

(use (not-zerop-mO (x s))))) 

(prove-lemma equal-length-li-s () 

(implies (seqp m) 

(equal (length (li m)) (length (s m)))) 

((expand (seqp$ t m) (modulep$ t m)))) 

(prove-lemma lessp-m4-rewrite (rewrite) 

(implies (and (seqp m) 

(not (equal m (dff)))) 

(equal (lessp (a4 (collect-lo a (cdrn (q$ (a a)) (li a)) (cdrn (q* (a a)) (lo a))) a) 
(mO s m) ) 
t)) 

((disable dff *l*dff seqp q$ cdm ml m4 collect-lo) 

(use (lessp-o4 (r (q m))) 

(leq-q$ (s (s m))) 
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(equal-length-li-s) ) ) ) 


(prove-lemma leq-count-collect-lo () 

(implies (and (equal (length li) (length s)) 

(plistp s)) 

(leq (count (collect-lo x li s)) (count s))) 

((induct (collect-lo x li s)))) 

(prove-lemma leq-count-cdrn () 

(implies (plistp s) 

(leq (count (cdm q s)) (count s)))> 

(prove-lemma equal- length- cdrn (rewrite) 

(implies (equal (length x) (length y)) 

(equal (equal (length (cdm q x)) (length (cdm q y)» 
t))) 

(prove-lemma plistp-cdm () 

(implies (and (leq q (length s)) (plistp s)) 

(plistp (cdm q s)))) 

(prove-lemma plistp-cdm-q (rewrite) 

(implies (plistp s) 

(plistp (cdm (q$ s) a))) 

((use (plistp-cdm (q (q$ s))) 

(leq-q$)))) 

(prove-lemma lessp-count-collect-lo (rewrite) 

(implies (and (seqp m) (not (equal m (dff)))) 

(equal (lessp (count (collect-lo x 
(cdm (q$ (s m)) (li m)) 

(cdm (q$ (s m)) (s m)))) 

(count m)) 
t)) 

((use (leq-count-collect-lo (li (cdm (q m) (li m))) (a (cdm (q m) (s m)))) 
(leq-count-cdrn (s (s m)) (q (q m))) 

(equal-length-li-s) 

(lessp-count-submodules) ) 

(disable modulepl dff *l*dff lessp-count-submodules))) 

(prove-lemma length-f irstn (rewrite) 

(equal (length (f irstn q x)) (fix q))) 

(prove-lemma plistp-f irstn (rewrite) 

(plistp (firstn q 1))) 

(prove-lemma lessp-count-collect-lo-f irstn (rewrite) 

(implies (and (seqp m) (not (equal m (dff)))) 

(equal (lessp (count (collect-lo x 
(firstn (q$ (s m)) (li m)) 

(firstn (q$ (s m)) (s m)))) 

(count m)) 
t)) 

((use (lessp-count-f irst-q) 

(equal-length-li-s) 

(leq- count -collect-lo (li (firstn (q m) (li m))) (s (firstn (q m) (s n))))) 
(disable lessp-count-f irst-q dff *l*dff modulept))) 
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(prove -lemma leq-mO (rewrite) 

(implies (listp x) 

(equal (lessp (ml x m) (mO (car x) m)) f))) 

(prove-lemma leq-cdr-ml (rewrite) 

(implies (listp x) 

(equal (lessp (ml x m) (ml (cdr x) m)) f))) 

(prove-lemma leq-ml (rewrite) 

(implies (listp x) 

(equal (lessp (m4 x m) (ml (car x) m)) f))) 

(prove-lemma leq-cdr-m4 (rewrite) 

(implies (listp x) 

(equal (lessp (m4 x m) (m4 (cdr x) m)) f))) 


;;Each input other than the clock is associated with a "setup time" , 
' ; which represents the duration over which the signal is required to 
;;hold constant prior to a rising edge: 

(disable seqp) 

(disable dff) 

(disable *l*dff) 

(defn setup! (flag x m) 

(case flag 

(0 (if (seqp m) 

(if (equal m (dff)) 

(case x 
(rst 8000) 

(d 6000) 

(otherwise f)) 

(emax (setup! 2 

(collect-li x (firstn (q m) (li m)) (firstn (q m) (s ■))) 
(collect-lo x (firstn (q a) (li m)) (firstn (q m) (■ ■)))) 

(setup! 5 
(setup! 4 

(collect-lo x (cdrn (q m) (li m)) (cdrn (q m) (lo m))) 

a) 

^ (collect-lo x (cdrn (q m) (li m)) (cdrn (q m) (s m)))))) 

(1 (if (listp x) 

(emax (setup! 0 (car x) m) 

(setup! 1 (cdr x) m)) 

0 )) 

(2 (if (listp m) 

(emax (setup! 1 (car x) (car m)) 

(setup! 2 (cdr x) (cdr m))) 

0 )) 

(3 (if (listp x) 

(cons (setup! 0 (car x) m) 

(setup! 3 (cdr x) m)) 

())) 

(4 (if (listp x) 

(cons (setup! 3 (car x) m) 

(setup! 4 (cdr x) m>) 

())) 

(5 (if (listp m) 

(emax (setup-comb (o (car m)) (car x) (car m)) 
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(setup! 5 (cdr x) (cdr m))) 

0 )) 

(otherwise f)) 

((ord-lessp (lex (list (count m) (setup-meas flag x m) (count x)))))) 

(enable seqp) 

(enable dff) 

(enable *l*dff) 

(defn setup (s m) 

(setup! 0 s m)) 

;;Finally, we define three parameters pertaining to the behavior of the 
;; clock input, called the "clock high", the "clock low", 

; ; and the "minimum period". These represent the minimum 

;; durations between a rising edge and the next falling edge, a falling 

;;edge and the next rising edge, and successive rising edges, 

; ^respectively : 

(defn high! (flag m) 

(if (equal flag ’list) 

(if (listp m) 

(max (high! t (car m)) 

(high! ’list (cdr m))) 

0 ) 

(if (seqp m) 

(if (equal m (dff)) 

4000 

(high! ’list (firstn (q m) (s m)))) 
f») 

(defn high (m) 

(high! t m)) 

(defn low! (flag m) 

(if (equal flag ’list) 

(if (listp m) 

(max (low! t (car m)) 

(low! ’list (cdr m))) 

0 ) 

(if (seqp m) 

(if (equal m (dff)) 

6000 

(low! ’list (firstn (q m) (s m)))) 
f))) 

(defn low (m) 

(low! t m)) 

(defn setups-plus-delays (setups outs sub) 

(if (listp outs) 

(max (plus (dsmax (car outs) sub) 

(qar setups)) 

(setups-plus-delays (cdr setups) (cdr outs) sub)) 

0 )) 

(defn p3 (s lo m) 

(if (listp s) 

(max (setups-plus-delays (setup! 3 (car lo) m) (o (car s)) (car s)) 
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(p3 (cdr s) (cdr lo) m)) 

0 )) 


(defn per! (flag m) 

(if (equal flag ’list) 

(if (liatp m) 

(max (pert t (car a)) 

(per$ ’list (cdr m))) 

0 ) 

(if (aeqp m) 

(if (equal m (dff)) 

10000 

(max (pert ’list (firatn (q m) (a m))) 

(max (setup! 3 (cdr (i m)) a) 

(p3 (firatn (q m) (a m)) (firatn (q m) (lo m)) m)))) 
f))) 

(defn per (m) (pert t m)) 

(diaable aeqp-atructp) 


” COMPUTATIONS ON COMBINATIONAL MODULES 

; ;********************« ************************************************** 

;; Whenever a combinational module ia introduced, we derive all its of 
; Relevant properties and then diaable its definition. This procedure 
;;is automated by means of several macros, which we define in this section. 

;;Firat, for the sake of efficiency, we derive some rewrite rules that allow 
;;us to disable various definitions: 


(prove-lemma bvpn-rewrite-1 (rewrite) 
(implies (not (zerop n)) 

(equal (bvpn x n) 

(and (boolp (car x>) 

(bvpn (cdr x) (subl n)))))) 

(prove-lemma bvpn-rewrite-2 (rewrite) 
(implies (zerop n) 

(equal (bvpn x n) 

(equal x ())))) 

(disable bvpn) 

(prove-lemma combp-revrite-1 (rewrite) 
(implies (liatp m) 

(equal (combpt 'list m) 

(and (combp (car m)) 

(combpt ’list (cdr m)))))) 

(prove-lemma combp-rewrite-2 (rewrite) 
(implies (nliatp m) 

(combpt ’list m))) 

(prove-lemma combp-rewrite-3 (rewrite) 
(implies (and (modulep m) (structp m)) 
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(equal (combp! t m) 

(and (adepth m 0) (combp$ ’list (s m)))))) 

(prove-lemma combp-modulep (rewrite) 

(implies (coabp m) (modulep m))) 

(disable combp) 

(disable combp$) 

(prove-lemma match-inputs-rewrite-1 (rewrite) 

(implies (listp subs) 

(equal (match- inputs subins subs) 

(and (listp subins) 

(equal (length (car subins)) (ni (car subs))) 
(match- inputs (cdr sub ins) (cdr subs)))))) 

(prove-lemma match- input a -rewrite-2 (rewrite) 

(implies (nlistp subs) 

(match-inputs subins subs))) 

(prove-lemma match-output s-rewrite-l (rewrite) 
(implies (listp subs) 

(equal (match-outputs subouts subs) 

(and (equal (length (car subouts)) (no (car subs))) 
(match-outputs (cdr subouts) (cdr subs)))))) 

(prove-lemma match-outputs-rewrite-2 (rewrite) 
(implies (nlistp subs) 

(match- outputs subouts subs))) 

(disable match-inputs) 

(disable match-outputs) 

(prove-lemma modulep$-revrite-l (rewrite) 

(implies (structp m) 

(equal (modulep$ t m) 

(and (equal (length (li m)) (length (s m))) 

(match- inputs (li m) (s m)) 

(equal (length (lo m)) (length (s m))) 
(match-outputs (lo m) (s m)) 

(all-appear (o m) (lo m)) 

(lists-all-appear (li m) (cons (i m) (lo o))) 
(all-distinct-symbols (cons (i m) (lo m))) 
(modulep$ ’list (s m)))))) 

(prove-lemma modulep$-rewrite-2 (rewrite) 

(implies (listp m) 

(equal (modulep$ 'list m) 

(and (modulep (car m)) 

(modulep! ’list (cdr m)))))) 

(prove-lemma modulep$-rewrite-3 (rewrite) 

(modulep! 'list ())) 

(disable modulep) 

(disable modulep!) 
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(prove- lemma slevel$$-rewrite-l (rewrite) 

(implies (listp out) 

(equal (slevel$$ 'list out m bad q) 

(emar (slevelSS t (car out) m bad q) 

(•levelSI 'list (cdr out) m bad q))))) 

(prove-leoma •level$S-rewrite-2 (rewrite) 

(implies (nliatp out) 

(equal (alevelSS 'Hat out m bad q) 0))) 

(prove-lemaa alevel$$-revrite-3 (rewrite) 

(implies (or (member out (i m)) 

(leasp (index out (lo a)) q)) 

(equal (alevelSS. t out m bad q) 0))) 

(prove-lemma slevelSS-rewrite-4 (rewrite) 

(implies (and (not (member out (i m))) 

(not (leasp (index out (lo m)) q)) 

(not (member out bad)) 

(distinct-symbols bad) 

(member out (signals m)) 

(subsetp bad (signals m))) 

(equal (slevelSS t out m bad q) 

(eaddl (slevelSS 'list (find-li out m) m (cons out bad) q))))) 

(disable slevelSS) 

(prove-lemma cvS-rewrite-1 (rewrite) 

(implies (and (combp m) (structp m) (aubsatp s (signals a)) (listp s)) 
(equal (cv* ’list a v m) 

(cons (cv (car s) v m) 

(cv$ 'list (cdr s) v m))))) 

(prove-lemma cv$-rewrite-2 (rewrite) 

(implies (and (combp m) (structp m) (nliatp s)) 

(equal (cv$ 'list s v m) ()))) 

(prove-lemma cv$-rewrite-3 (rewrite) 

(implies (and (combp m) (structp m) (member s (signals m))) 

(equal (cv$ t s v m) 

(if (member s (i m)) 

(lookup s (i m) v) 

(cv (find-o a m) 

(cvS 'list (find-li s m) v a) 

(find-s s m)))))) 

(prove-lemma cvS-rewrite-4 (rewrite) 

(implies (behavp m) 

(equal (cvS t s v m) 

(eval (lookup s (o m) (r m)) (pairlist (i m) v))))) 

(prove-lemma cv-rewrite (rewrite) 

(equal (cv s v m) (cv$ t s v m))) 

(disable cv) 

(disable cv$) 
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(prove-lemma dcminl-rewrite-l (rewrite) 

(implies (and- (combp m) (structp m) (subsetp s (signals m)) (listp «)) 
(equal (dcmin$ 1 list s m) 

(emin (dcmin (car s) m) 

(dcmin$ 'list (cdr ») m))))) 

(prove-lemma dcmin$-revrite~2 (rewrite) 

(implies (and (combp m) (structp m) (nlistp s)) 

(equal (dcain$ 'list s m) f))) 

(prove -lemma dcmin$-revrite-3 (rewrite) 

(implies (and (combp m) (structp m) (member s (signals m))) 

(equal (dcminl t s m) 

(if (member s (i m)) 

0 

(eplus (dcain (find-o s m) (find-s s m)) 

(dcmin$ ’list (find-li s m) m)))))) 

(prove-lemma dcmin$-rewrite-4 (rewrite) 

(implies (behavp m) 

(equal (dcmin$ t s m) 

(lookup s (o m) (dm))))) 

(prove-lemma dcmin-rewrite (rewrite) 

(equal (dcmin s m) (dcminS t s m))) 

(disable dcmin$) 

(disable dcmin) 

(prove-lemma dcmax$-revrite-l (rewrite) 

(implies (and (combp m) (structp m) (subsetp s (signals m)) (listp s)) 
(equal (dcmax$ 'list s m) 

(emax (dcmax (car s) m) 

(dcmax$ 'list (cdr s) m))))) 

(prove-lemma dcmax$-rewrite-2 (rewrite) 

(implies (and (combp m) (structp m) (nlistp s)) 

(equal (dcmaxS 'list s m) 0))) 

(prove-lemma dcmax$-rewrite-3 (rewrite) 

(implies (and (combp m) (structp m) (member s (signals m))) 

(equal (dcmaxl t s m) 

(if (member s (i m)) 

0 

(eplus (dcmax (find-o s m) (find-s s m)) 

(dcmaxS 'list (find-li s m) m)))))) 

(prove-lemma dcmax$-rewrite-4 (rewrite) 

(implies (behavp m) 

(equal (dcmax$ t s m) 

(lookup s (o m) *(d m))))) 

(prove-lemma dcmax-rewrite (rewrite) 

(equal (dcmax s m) (dcmax$ t s m))) 

(disable dcmax $) 

(disable dcmax) 
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(prove -lenmta lookup-rewrite (rewrite) 
(implies (listp i) 

(equal (lookup s i v) 

(if (equal s (car i)) 

(car v) 

(lookup s (cdr i) (cdr v)))))) 
(disable lookup) 

(prove-lemma lookupl-rewrite (rewrite) 
(implies (listp i) 

(equal (lookupl s i v) 

(if (member s (car i)) 

(car v) 

(lookupl s (cdr i) (cdr v)))))) 
(disable lookupl) 


;;For each gate, we establish its components, prove that it is a 

;; combinational module, derive its basic parameters, and then disable its 

; ;def inition: 

(defmacro print-and-prove (treat args) 

‘(and (print • (prove-lemma , ©args)) 

(prove-lemma ,«args))) 

(defun hyphen (x y) 

(intern (format () x y))) 

(defun ex (m) 

(intern (format () ”*1*'A" m))) 

(defmacro dogate (m i o r d cv) 

‘(and (print-and-prove , (hyphen m ’type) (rewrite) 

(equal (type (,m)) ’behav) 

((enable type))) 

(print-and-prove .(hyphen m ’i) (rewrite) 

(equal (i (,m)) * ,i) 

((enable i))) 

(print-and-prove .(hyphen m *o) (rewrite) 

(equal (o (,m)) >(,o)) 

((enable o))) 

(print-and-prove .(hyphen m ’r) (rewrite) 

(equal (r (,m)) '(,r)) 

((enable r))) 

(print-and-prove .(hyphen m ’d) (rewrite) 

(equal (d (,m)) »(,d)) 

((enable d))) 

(print-and-prove .(hyphen m ’p) (rewrite) 

(equal (p (,m)) ’(inert)) 

((enable p))) 

(print-and-prove .(hyphen m 'modulep) (rewrite) 

(modulep (,m))) 

(print-and-prove .(hyphen m ’combp) (rewrite) 

(combp ( ,m) )) 

(print-and-prove .(hyphen m ’cv) (rewrite) 

(equal (cv \o v (,m)) 
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,cv)) 

(print -and-prove .(hyphen m ’dnin) (rewrite) 

(equal (dcmin *,o (,m)) ,d)) 

(print -and-prove .(hyphen m *daax) (rewrite) 

(equal (dcmaz 1 t o (,m)) ,d)) 

(disable .m) 

(disable .(ex a)))) 

(dogate tO () t (to) 2000 t) 

(dogate fO () f (fO) 2000 f) 

(dogate notl (a) b (notl a) 2000 
(not (car v))) 

(dogate and2 (a b) c (and2 a b) 2000 
(and (car v) (cadr v))) 

(dogate or2 (a b) c (or2 a b) 2000 
(or (car v) (cadr v))> 

(dogate nand2 (a b) c (nand2 a b) 2000 
(not (and (car v) (cadr v)))) 

(dogate fnand2 (a b) c (nand2 a b) 1000 
(not (and (car v) (cadr v)))) 

(dogate nor2 (a b) c (nor2 a b) 2000 
(not (or (car v) (cadr v)))) 

(dogate xor2 (a b) c (xor2 a b) 2000 
(not (equal (car v) (cadr v)))) 

(dogate and3 (a b c) d (and3 a b c) 2000 
(and (car v) (cadr v) (caddr v))) 

(dogate or3 (a b c) d (or3 a b c) 2000 
(or (car v) (cadr v) (caddr v))) 

(dogate nand3 (a b c) d (nand3 a b c) 2000 
(not (and (car v) (cadr v) (caddr v)))) 

(dogate nor3 (a b c) d (nor3 a b c) 2000 
(not (or (car v) (cadr v) (caddr v)))) 

(dogate xor3 (a b c) d (xor3 a b c) 2000 

(not (equal (car v) (not (equal (cadr v) (caddr v)))))) 

(dogate and4 (abed) e (and4 abed) 2000 
(and (car v) (cadr v) (caddr v) (cadddr v))) 

(dogate or4 (a b c d) e (or4 abed) 2000 
(or (car v) (cadr v) (caddr v) (cadddr v))) 

(dogate nand4 (a b c d) e (nand4 abed) 2000 

(not (and (car v) (cadr v) (caddr v) (cadddr v)))) 

(dogate nor4 (abed) e (nor4 abed) 2000 

(not (or (car v) (cadr v) (caddr v) (cadddr v)))) 
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(dogate xor4 (a b c d) e (xor4 abed) 2000 

(not (equal (car v) (not (equal (cadr v) (not (equal (caddr v) (cadddr v)) )))))) 

(dogate and5 (a b c d e) g (and5 a b c d e) 2000 
(and (car v) (cadr v) (caddr v) (cadddr v) (caddddr v))) 

(dogate orS (a b c d e) g (orS a b c d e) 2000 
(or (car v) (cadr v) (caddr v) (cadddr v) (caddddr v))) 

(dogate nandS (a b c d e) g (nand5 a b c d e) 2000 
(not (and (car v) (cadr v) (caddr v) (cadddr v) (caddddr v)))) 

(dogate nor5 (a b c d e) g (nor5 a b c d e) 2000 

(not (or (car v) (cadr v) (caddr v) (cadddr v) (caddddr v)))) 

(dogate xor5 (a b c d e) g (xor5 a b c d e) 2000 
(not (equal (car v) 

(not (equal (cadr v) 

(not (equal (caddr v) 

(not (equal (cadddr v) (caddddr v)))))))))) 

;;The same is done for every combinational structure at the time of its 
; ;def inition. We illustrate with the structure ADDER2: 

(prove -lemma type-adder2 (rewrite) 

(equal (type (adder2)) 'struct) 

((enable type))) 

(prove-lemma i-adder2 (rewrite) 

(equal (i (adder2)) »(a b c)) 

((enable i))) 

(prove-lemma o-adder2 (rewrite) 

(equal (o (adder2)) *(1 h)) 

((enable o))) 

(prove-lemma s-adder2 (rewrite) 

(equal (s (adder2)) 

Uttt (n*nd2) (nand2) (nand2) (nand2) (nand2) (nand2) (nand2) (nand2) (nand2))) 

\ (enable a))) 

(prove-lemma li-adder2 (rewrite) 

(equal (li (adder2)) 

((«ibi. u u))) <b u> (t2 ta> (c u) (ts t4) (c ts> (ts to (t? t6 »> 

(prove-lemma lo-adder2 (rewrite) 

(equal (lo (adder2)) 

'((tl) (t2) (t3) (t4) (tS) (t6) (t7) (h) (1))) 

((enable lo))) 

(disable adder2) 

(disable *l*adder2) 

(prove-lemma modulep-adder2 (rewrite) 

(modulep (adder2)) 

((use (modulep (m (adder2)))))) 
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(prove-lemma combp-adder2 (rewrite) 

(combp (adder2)) 

((enable sdepth) 

(uae (combp (m (adder2)))))) 

(provt-lemma cv-adder2-l (rewrite) 

(implies (cvecp v (adder2)) 

(equal (cv *1 v (adder2)) 

(not (equal (car v) (not (equal (cadr v) (caddr v)) )))))) 

(prove-lemma cv-adder2-h (rewrite) 

(impliea (cvecp v (adder2)) 

(equal (cv *h v (adder2)) 

(if (car v) (or (cadr v) (caddr v)) (and (cadr v) (caddr v)))))) 

(prove-lemma adder2 -dcmin- 1 (rewrite) 

(equal (dcmin '1 (adder2)) 4000)) 

(prove-lemma adder2-dcmax-l (rewrite) 

(equal (dcmax *1 (adder2)) 12000)) 

(prove-lemma adder2-dcmin-h (rewrite) 

(equal (dcmin ’h (adder2)) 4000)) 

(prove-lemma adder2-dcmax-h (rewrite) 

(equal (dcmax ’h (adder2)) 10000)) 


(defun make-s (auba) 

(if (consp auba) 

(cons (list (caar subs)) (make-s (cdr subB))) 

())) 

(defun make-li (subs) 

(if (consp subs) 

(cons (cadar subs) (make-li (cdr subs))) 

())) 

(defun make-lo (subs) 

(if (consp subs) 

(cons (caddar subs) (make-lo (cdr subs))) 

())) 

;;Ve use the following macro to introduce new combinational structures: 

(def macro defcomb (m i o fcrest subs) 

(let ((a (make-s subs)) (li (make-li subs)) (lo (make-lo subs))) 
r (and (defn ,m () 

(list ’struct ',i ’,o (list ,fis) ’,li * ilo)) 

(print-and-prove , (hyphen m ’type) (rewrite) 

(equal (type (,o)) ’struct) 

((enable type))) 

(print-and-prove , (hyphen m ’i) (rewrite) 

(equal (i (,m)) * ,i) 

((enable i))) 

(print-and-prove , (hyphen m ’o) (rewrite) 

(equal (o (,m)) *, 0 ) 

((enable 0 ))) 
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(print-and-prove .(hyphen m ’a) (rewrit*) 
(equal (s (,i)) (list ,« s )) 

((enable s))) 

(print-and-prove .(hyphen m >li) (rewrite) 
(equal Cli (,m)) Mi) 

((enable li))) 

(print-and-prove .(hyphen m J lo) (rewrite) 
(equal (lo (,n)) \lo) 

((enable lo))) 

(disable ,m) 

(disable ,(ex m)) 

(print-and-prove .(hyphen m ’modulep) (rewrite) 
(modulep (,m)) 

((use (modulep (m (.m)))))) 

(print-and-prove .(hyphen m 'combp) (rewrite) 
(combp (,m)) 

((enable sdepth) 

(use (combp (m (,«))))))))) 


COMPUTATIONS ON SEQUENTIAL MODULES 


;;Ve establish a similar procedure for deriveing the relevant properties 
;;of a sequential module before disabling its definition. 

;;First, we derive the basic properties of DFF: 

(prove-lemma not-combp-dff (rewrite) 

(not (combp (dff))) 

((enable *l*notl *l*and2 *l*nand2 *l*nand3))) 

(prove-lemma modulep-dff (rewrite) 

(modulep (dff)) 

((enable *l*notl *l*and2 *l*nand2 *l*nand3))) 

(prove-lemma type-dff (rewrite) 

(equal (type (dff)) ’struct) 

((enable type))) 

(prove-lemma i-dff (rewrite) 

(equal (i (dff)) ’(elk rst d)) 

((enable i))) 

(prove-lemma o-dff (rewrite) 

(equal (o (dff)) 1 (q qn )) 

((enable o))) 

(prove-lemma seqp-dff (rewrite) 

(seqp (dff)) 

((enable *l*notl *i*and2 *l*nand2 *l*nand3))) 

(prove-lemma rv-rewrite (rewrite) 

(equal (rv s state m) (rv$ t s state m))) 

(prove-lemma rv-dff-q (rewrite) 

(equal (rv 'q state (dff)) state) 
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((enable *l*notl *i*and2 *l*nand2 *l*nand3 i lo))) 

(prove-lemma rv-dff-qn (rewrite) 

(equal (rv ’qn state (dff)) (not state)) 

((enable *l*notl *l*and2 *l*nand2 *l*nand3 i lo))) 

(prove-lemma next-dff (rewrite) 

(equal (next v state (dff)) (car v)) 

((enable *l*notl *l*and2 *l*nand2 *l*nand3))) 

(disable dff) 

(disable *l*dff) 

— Next, we derive some rewite rules that allow us to disable various 
;;function definitions: 

(defn sc-induct (m) 

(if (structp m) 

(if (equal m (dff)) 
t 

(sc-induct (car (s m)))) 
t)) 

(prove-lemma combp-car-s (rewrite) 

(implies (and (structp m) 

(combp m) 

(listp (s m))) 

(combp (car (s m)))) 

((enable combp combp!) 

(expand (combp! t m)))) 

(prove-lemma seqp$-car-s (rewrite) 

(implies (and (seqp m) (not (equal m (dff)))) 

(seqp! t (car (s m)))) 

((expand (seqp$ t m) (firstn (q$ (s m)) (s m))))) 

(prove-lemma seq-combp (rewrite) 

(implies (seqp m) (not (combp m))) 

((induct (sc-induct m)))) 

(prove-lemma nativepS-rewrite-1 (rewrite) 

(implies (and (sdepth m (q m)) 

(subsetp s (signals m)) 

(listp s)) 

(equal (nativep$ ’list s m) 

(and (nativep$ t (car s) m) 

(nativep! ’list (cdr s) m))))) 

(prove-lemma nativep$-revrite-2 (rewrite) 

(implies (and (sdepth m (q m)) 

(nlistp s)) 

(nativepl ’list s m))) 

(prove-lemma nativep$-revrite-3 (rewrite) 

(implies (and (sdepth m (q m)) 

(not (equal m (dff))) 

(member s (signals m)) 

(not (member s (i m)))) 


no 


(equal (nativep$ tarn) 

(if (leaap (index a (lo m)) (q m)) 
t 

(nativep$ 'liat (find-li a m) m))))) 

(diaable nativepl) 

(prove-lemma f iratn-rewrite-1 (rewrite) 

(impliea (not (zerop a)) 

(equal (firatn n 1) 

(cona (car 1) (firatn (aubl n) (cdr 1)))))) 

(prove-lenma f iratn-rewrite-2 (rewrite) 

(impliea (zerop n) 

(equal (firatn n 1) ()))) 

(diaable firatn) 

(prove-lenma aeqp$-revrite-l (rewrite) 

(impliea (liatp m) 

(equal (aeqpl 'liat m) 

(and (aeqp (car m)) 

(seqp$ 'liat (cdr m)))))) 

(prove-lenma seqp$-rewrite-2 (rewrite) 

(impliea (nliatp m) 

(aeqp$ 'liat m))) 

(prove-lemma 8eqp$-revrite-3 (rewrite) 

(impliea (and (modulep m) (atructp m) (not (equal m (dff)))) 

(equal (seqp$ t m) 

(and (geq (ni m) 2) 

(not (zerop (q m))) 

(aeqp$ 'liat (firatn (q m) (a m))) 

(check-a«q-li (car (i m)) (cadr (i m)) (firatn <q n) (li m))) 
(check-comb-li (car (i m)) (cadr (i m)) (cdrn (q ■) (li n))) 
(adepth m (q m)) 

(nativepS 'liat (o m) m)))) 

((expand (aeqpl t m)))) 

(diaable aeqp$) 

(diaable aeqp) 

(prove-lemma rv$-rewrite-l (rewrite) 

(impliea (and (aeqp m) 

(aubaetp a (aignala m)) 

(liatp a) 

(not (equal m (dff)))) 

(equal (rv$ 'liat a atate m) 

(cona (rv (car a) atate m) 

(rv$ 'liat (cdr a) atate m))))) 

(prove-lemma rv$-rewrite-2 (rewrite) 

(impliea (and (aeqp m) 

(nliatp a) 

(not (equal m (dff)))) 

(equal (rv$ 'liat a atate m) ()))) 
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(prove- lemma rv$-revrite-3 (rewrite) 

(implies (and (seqp m) 

(not (equal m (dff))) 

(member s (signals m)) 

(not (member s (i m)))) 

(equal (rv$ t s state m) 

(if (lesep (index 9 (lo m)) (q m)) 

(rv (find-o s m) (find-state s state m) (find-s s m)) 

(cv (find-o s m) (rvS 'list (find-li s m) state m) (find-s s m)))))) 

(disable rv$) " 

(disable rv) 

(prove-lemma sv$-rewrite-l (rewrite) 

(implies (and (seqp m) 

(subsetp s (signals m)) 

(listp s) 

(not (equal m (dff)))) 

(equal (sv$ ’list s v state m) 

(cons (sv$ t (car s) v state m) 

(sv$ ’list (cdr s) v state m))))) 

(prove-lemma sv$-rewrite-2 (rewrite) 

(implies (and (seqp m) 

(nlistp s) 

(not (equal m (dff)))) 

(equal (sv$ ’list s v state m) ()))) 

(prove-lemma sv$-rewrite-3 (rewrite) 

(implies (and (seqp m) 

(not (equal m (dff))) 

(member s (signals m))) 

(equal (sv$ t s v state m) 

(if (member s (i m)) 

(lookup s (cddr (i m)) v) 

(if (lessp (index s (lo m)) (q m)) 

(rv s state m) 

(cv (find-o 5 m) (sv$ ’list (find-li s m) v state m) (find-s s m)))))) 
((disable member))) 

(disable sv$) 

(prove-lemma next$-revrite-l (rewrite) 

(implies (listp m) 

(equal (next$ ’list v state m) 

(cons (next (car v) (car state) (car m)) 

(next! ’list (cdr v) (cdr state) (cdr m)))))) 

(prove-lemma next$-rewrite-2 (rewrite) 

(implies (nlistp m) 

(equal (next$ 'list v state m) ()))) 


(prove-lemma next$-rewrite-3 (rewrite) 

(implies (and (seqp m) (not (equal m (dff)))) 

(equal (next$ t v state m) 

(if (equal (q m) 1) 

(next (svl (car (li m)) v state m) state (car (s m))) 
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(next$ 'list 

(svll (firstn (q m) (li m)) v state m) 
state 

(firstn (q m) (a m»)))) 

((disable dff))) 

(disable next$) 

(disable next!) 

(prove- lemma q$-rewrite-l (rewrite) 

(implies (listp mods) 

(equal (q$ mods) 

(if (combp (car mods)) 

0 

(addl (q$ (cdr mods))))))) 

(prove-lemma q$-rewrite-2 (rewrite) 

(implies (nlistp mods) 

(equal (q$ mods) 0))) 

(disable q$) 

(disable q) 

(prove-lemma statep$-rewrite-l (rewrite) 

(implies (listp m) 

(equal (statepS 'list state m) 

(and (statep (car state) (car m)) 

(statepS 'list (cdr state) (cdr m)))))) 

(prove-lemma statep$-rewrite-2 (rewrite) 

(implies (nlistp m) 

(equal (statepS 'list state m) 

(equal state ())))) 

(prove-lemma statep$-rewrite-3 (rewrite) 

(implies (and (modulep m) (structp m) (not (equal m (dff)))) 
(equal (statep$ t state m) 

(if (equal (q m) 1) 

(statep state (car (s m))) 

(statepS 'list state (firstn (q m) (s m))))))) 

(prove-lemma statep-dff-rewrite (rewrite) 

(equal (statep state (dff)) 

(boolp state)) 

((disable boolp))) 

(disable statepS) 

(disable statep) 

(prove-lemma regp-revrite (rewrite) 

(implies (seqp m) 

(equal (regp a m) 

(if (equal m (dff)) 

(member s (o m)) 

(and (lessp (index s (lc m)) (q m)) 

(regp (find-o s m) (find-s s m))))))) 
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(disable regp) 

(prove-lemma dsmin$-rewrite-l (rewrite) 

(implies (and (seqp o) (subsetp s (signals m)) (not (equal m (dff))) (listp s)) 
(equal (dsmin$ 'list s m) 

(eain (dsminS t (car s) m) 

(dsminl 'list (cdr s) m))))> 

(prove-lemma dsmin$-rewrite-2 (rewrite) 

(implies (and (seqp m) (subsetp s (signals m)) (not (equal m (dff))) (nlistp s)) 
(equal (dsmin$ 'list s m) f))) 

(prove-lemma dsmin$-rewrite-3 (rewrite) 

(implies (and (seqp m) 

(member s (signals m)) 

(not (member s (i m))) 

(not (equal m (dff)))) 

(equal (dsmin$ t s m) 

(if (lessp (index s (lo m)) (q m)) 

(dsmin (find-o s m) (find-s s m)) 

(eplus (dcmin (find-o s m) (find-s s m)) 

(dsminS 'list (find-li s m) m)))))) 

(prove-lemma dsmin$-rewrite-4 (rewrite) 

(implies (and (member s (signals (dff))) 

(not (member s (i (dff))))) 

(equal (dsmin$ t s (dff)) 4000))) 

(prove-lemma dsmin-rewrite (rewrite) 

(equal (dsmin s m) (dsminl t s m))) 

(disable dsmin$) 

(disable dsmin) 

(prove-lemma dff-dsmin-q (rewrite) 

(equal (dsmin ’q (dff)) 4000) 

((enable *l*dff *i*nand2 *l*lo *l*i *l*nand3 *l*notl))) 

(prove-lemma dff-dsmin-qn (rewrite) 

(equal (dsmin ’qn (dff)) 4000) 

((enable *i*dff *l*nand2 *l*lo *l*i *l*nand3 *l*notl))) 

(prove-lemma dsmax$-rewrite-l (rewrite) 

(implies (and (seqp m) (subsetp s (signals m)) (not (equal m (dff))) (listp s)) 
(equal (dsmaxl 'list s m) 

(emax (dsmax$ t (car s) m) 

(dsoaxl 'list (cdr s) m))))) 

(prove-lemma dsmax$-rewrite-2 (rewrite) 

(implies (and (seqp m) (subsetp s (signals m)) (not (equal m (dff))) (nlistp s)) 
(equal (dsmax$ 'list s m) 0))) 

(prove-lenana dsmax$-rewrite-3 (rewrite) 

(implies (and (seqp m) 

(member s (signals m)) 

(not (member s (i m))) 

(not (equal m (dff)))) 
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(equal (dsmax! t s m) 

(if (lessp (index a (lo m)) (q m)) 

(dsmax (find-o s m) (find-s 5 m)) 

(eplua (dcmax (find-o s m) (find-s a m)) 

(dsmax! ’list (find-li a m) m)))))) 

(prove-lemma dsmax$-reurite-4 (rewrite) 

(implies (and (member a (signals (dff))) 

(not (member a (i (dff))))) 

(equal (dsmax! t a (dff)) 6000))) 

(prove-lemma damax-rewrite (rewrite) 

(equal (damax a m) (damax$ t a m))) 

(diaable damax$) 

(disable damax) 

(prove-lemma dff-dsmax-q (rewrite) 

(equal (dsmax *q (dff)) 6000) 

((enable *l*dff *l*nand2 *l*lo *l*i *i*nand3 *l*notl))) 

(prove-lemma dff-damax-qn (rewrite) 

(equal (dsmax 'qn (dff)) 6000) 

((enable *l*dff *l*nand2 *l*lo *i*i *l*nand3 *l*notl))) 


(prove-lemma setup-rewrite (rewrite) 

(equal (setup a m) (setup! 0 s m))) 

(disable setup) 

(prove-lemma df f-setup-rst (rewrite) 

(equal (setup ’rat (dff)) 8000)) 

(prove-lemma dff-setup-d (rewrite) 

(equal (setup ’d (dff)) 6000)) 

(prove-lemma setup$-rewrite-l (rewrite) 

(implies (and (seqp m) (not (equal m (dff)))) 

(equal (setup! 0 x m) 

(emax (setup! 2 

(coll«ct-li x (firstn (q m) (li n)) (firstn (q m) (, a))) 
(collect-lo x (firstn (q a) (li a)) (firstn (q a) (s a)))) 
(setup! 5 
(setup! 4 

(collect-lo x (cdrn (q m) (li m)) (cdrn (q m) (lo m))) 

m) 

(collect-lo x (cdrn (q m) (li m)) (cdrn (q m) (a m)))))))) 

(prove-lemma setup$-rewrite-2 (rewrite) 

(implies (liatp x) 

(equal (setup! 1 x m) 

(emax (setup (car x) m) 

(setup! 1 (cdr x) m))))) 

(prove-lemma setup!-rewrite-3 (rewrite) 

(implies (nlistp x) 
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(equal (setup! 1 x a) 0))) 

(prove-lemma setup!-rewrite-4 (rewrite) 

(implies (listp m) 

(equal (setup! 2 x m) 

(emax (setup! 1 (car x) (car m)) 

(setup! 2 (cdr x) (cdr m)))))) 

(prove-lemaa setup!-rewrite-5 (rewrite) 

(implies (nlistp m) 

(equal (setup! 2 x m) 0))) 

(prove-lemaa setup!-rewrite-6 (rewrite) 

(implies (listp x) 

(equal (setup! 3 x a) 

(cons (setup (car x) m) 

(setup! 3 (cdr x) m))))) 

(prove-lemma setup$-rewrite-7 (rewrite) 

(implies (nlistp x) 

(equal (setup! 3 x m) ()))) 

(prove-lemma setup!-rewrite-8 (rewrite) 

(implies (listp x) 

(equal (setup! 4 x m) 

(cons (setup! 3 (car x) a) 

(setup! 4 (cdr x) m))))) 

(prove-lemma setup$-rewrite-9 (rewrite) 

(implies (nlistp x) 

(equal (setup! 4 x a) ()))) 

(prove-lemma setup!-rewrite-10 (rewrite) 

(implies (listp m) 

(equal (setup! 5 x m) 

(emax (setup-comb (o (car m)) (car x) (car m)) 
(setup! 5 (cdr x) (cdr m)))))) 

(prove-lemma setup!-rewrite-ll (rewrite) 

(implies (nlistp a) 

(equal (setup! 5 x m) 0))) 

(disable setup!) 

(prove-lemma setup-comb-rewrite-l (rewrite) 

(implies (listp sigs) 

(equal (setup-comb sigs setups a) 

(if (zerop (car setups)) 

(setup-comb (cdr sigs) (cdr setups) a) 

(emax (eplus (dcmax (car sigs) m) (car setups)) 
(setup-comb (cdr sigs) (cdr setups) m)))))) 

(prove-lemma setup-comb-rewrite-2 (rewrite) 

(implies (nlistp sigs) 

(equal (setup-comb sigs setups m) 0))) 


(prove-lemma collect-i-rewrite-1 (rewrite) 
(implies (listp li) 
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(equal (collect-i s li i) 

(if (equal s (car li)) 

(cons (car i) (collect-i s (cdr li) (cdr i))) 
(collect-i s (cdr li) (cdr i)))))) 

(prove-lemma collect-i-rewrite-2 (rewrite) 

(implies (nlistp li) 

(equal (collect-i s li i) ()))) 

(prove-lemma collect-li-rewrite-1 (rewrite) 

(implies (listp li) 

(equal (collect-li s li m) 

(if (member s (car li)) 

(cons (collect-i s (car li) (i (car m))) 
(collect-li s (cdr li) (cdr m))) 

(collect-li s (cdr li) (cdr m)))))) 

(prove-lemma collect-li-rewrite-2 (rewrite) 

(implies (nlistp li) 

(equal (collect-li s li a) ()))) 

(prove-lemma collect-lo-rewrite-1 (rewrite) 

(implies (listp li) 

(equal (collect-lo s li lo) 

(if (member a (car li)) 

(cons (car lo) (collect-lo s (cdr li) (cdr lo))) 
(collect-lo s (cdr li) (cdr lo)))))) 

(prove-lemma collect-lo-revrite-2 (rewrite) 

(implies (nlistp li) 

(equal (collect-lo s li lo) ()))) 

(prove-lemma high-rewrite (rewrite) 

(equal (high m) (high! t m))) 

(disable high) 

(prove-lemma high$-rewrite-l (rewrite) 

(implies (listp m) 

(equal (high! 'list m) 

(max (high (car m)) 

(high? 'list (cdr m)))))) 

(prove-lemma high$-rewrite-2 (rewrite) 

(implies (nlistp m) 

(equal (high* 'list m) 0))) 

(prove-lemma high$-rewrite-3 (rewrite) 

(implies (and (seqp m) (not (equal m (dff)))) 

(equal (high$ t m) 

(high$ 'list (firstn (q m) (s m)))))) 

(prove-lemma dff-high-rewrite (rewrite) 

(equal (high (dff)) 4000)) 

(disable high$) 

(prove-lemma low-rewrite (rewrite) 

(equal (low m) (low$ t m))) 
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(disable low) 


(prove -lemma low$-rewrite-l (rewrite) 

(implies (listp m) 

(equal (low$ ’list m) 

(max (low (car m)) 

(low$ 'list (cdr m)))))) 

(prove-lemma low$-rewrite-2 (rewrite) 

(implies (nlistp m) 

(equal (low$ ’list m) 0))) 

(prove-lemma low$-rewrite-3 (rewrite) 

(implies (and (seqp m) (not (equal m (dff)))) 

(equal (low$ t m) 

(low$ ’list (firstn (q m) (s m)))))) 

(prove-lemma df f-low-rewrite (rewrite) 

(equal (low (dff)) 6000)) 

(disable low$) 

(prove-lemma setups-plus-delays-rewrite-l (rewrite) 

(implies (listp outs) 

(equal (setups-plus-delays setups outs sub) 

(max (plus (dsmax (car outs) sub) 

(car setups)) 

(setups-plus-delays (cdr setups) (cdr outs) sub))))) 

(prove-lemma setups-plus-delays-rewrite-2 (rewrite) 

(implies (nlistp outs) 

(equal (setups-plus-delays setups outs sub) 0))) 

(prove-lemma p3-rewrite-l (rewrite) 

(implies (listp s) 

(equal (p3 s lo m) 

(max (setups-plus-delays (setup$ 3 (car lo) m) (o (car s)) (car s)) 
(p3 (cdr s) (cdr lo) m))))) 

(prove-lemma p3-rewrite-2 (rewrite) 

(implies (nlistp s) 

(equal (p3 s lo m) 0))) 

(prove-lemma per-rewrite (rewrite) 

(equal (per m) (per$ t m))) 

(disable per) 

(prove-lemma per$-rewrite-i (rewrite) 

(implies (listp m) 

(equal (per$ ’list m) 

(max (per (car m)) 

(per$ ’list (cdr m)))))) 

(prove-lemma per$-rewrite-2 (rewrite) 

(implies (nlistp m) 

(equal (per$ ’list m) 0))) 
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(prove-lemma per-dff-revrite (rewrite) 

(equal (per (dff)) 10000)) 

(prove-lemma per$-rewrite-3 (rewrite) 

(implies (and (seqp m) (not (equal m (dff)))) 

(equal (per$ t m) 

(max (per$ ’list (firstn (q m) (s m))) 

(max (setup! 3 (cdr (i m)) m) 

(p3 (firstn (q m) (s m)) (firstn (q m) (lo m)) m)))))) 

(disable per$) 

;;Finally, we define the following macro, which we use to define 

;; sequential modules and derive their properties: 

(defmacro defseq (m q i o treat subs) 

(let ((s (make-s subs)) (li (make-li subs)) (lo (make-lo subs))) 
‘(and (defn ,m () 

(list ’struct *,i *,o (list ,®s) ’,li *,lo)) 

(print-and-prove , (hyphen m ’type) (rewrite) 

(equal (type (,m)) ’struct) 

((enable type))) 

(print-and-prove .(hyphen m ’i) (rewrite) 

(equal (i (,m)) ’,i) 

((enable i))) 

(print-and-prove .(hyphen m ’o) (rewrite) 

(equal (o (,m)) ’,o) 

((enable o))) 

(print-and-prove .(hyphen m ’s) (rewrite) 

(equal (s (,m)) (list ,<Ds)) 

((enable s))) 

(print-and-prove .(hyphen m ’li) (rewrite) 

(equal (li (,m)) ’,li) 

((enable li))) 

(print-and-prove .(hyphen m ’lo) (rewrite) 

(equal (lo (,m)) ’,lo) 

((enable lo))) 

(print-and-prove .(hyphen m ’not-dff) (rewrite) 

(not (equal (,m) (dff))) 

((enable dff))) 

(disable ,m) 

(disable , (ex m)) 

(print-and-prove , (hyphen m ’modulep) (rewrite) 

(modulep (,m)) 

((use (modulep (m (,m)))))) 

(print-and-prove .(hyphen m ’q) (rewrite) 

(equal (q (,m)) ,q) 

((use (q (m (.m)))))) 

(print-and-prove , (hyphen m ’sdepth) (rewrite) 

(sdepth (,m) ,q) 

((use (sdepth (m (,m)) (q ,q))))) 

(print-and-prove .(hyphen m 'seq) (rewrite) 

(seqp (,m)) 

((use (seqp (m (,m))))))))) 


****** *********** *********** ******************************************* 

BPH 

***++**+++*++++*+*+++++++++++++ 4 ,+++ ************************************ 
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; ;We illustrate our methodology with a pair of circuits , RCVR and SNDR, 

;; which achieve asynchronous communication via the biphase mark protocol. 
;;The definitions of these circuits are presented below. 

; ;Each combinational component is defined via DEFCOMB. For each of its 
;;outputs, three lemmas are proved, establishing the values of the functions 
;;RV, DCMIN, and DCHAX. 

; ;Each sequential component is defined via DEFSEQ. For each output, a lemma 
;;is proved pertaining to RV. For each input, a lemma is proved, giving the 
;; setup time. Other lemmas give the period and characterize the behavior of 
; ; STATEP and NEXT: 

(defseq cdff 1 

(elk rst clear d) (q qn) 

(dff (elk rst den) (q qn)) 

(notl (clear) (cn)) 

(and2 (d cn) (den))) 

(prove-lemma cdff-statep (rewrite) 

(equal (statep state (cdff)) 

(boolp state)) 

((use (statep (m (cdff)))))) 

(prove-lemma rv-edff-q (rewrite) 

(equal (rv ’q state (cdff)) state)) 

(prove-lemma rv-edff-qn (rewrite) 

(equal (rv ’qn state (cdff)) (not state))) 

(prove-lemma next-edff (rewrite) 

(implies (sveep v (cdff)) 

(equal (next v state (cdff)) 

(if (car v) f (cadr v)))) 

((use (next (m (cdff)))))) 

(prove-lemma cdff-setup-rst (rewrite) 

(equal (setup 'rst (cdff)) 8000)) 

(prove-lemma cdff-setup-clear (rewrite) 

(equal (setup 'clear (cdff)) 10000)) 

(prove-lemma cdff-setup-d (rewrite) 

(equal (setup 'd (cdff)) 8000)) 

(prove-lemma cdff-per (rewrite) 

(equal (per (cdff)) 10000)) 


(defseq edff 1 

(elk rst enable d) (q qn) 

(dff (elk rst s4) (q qn)) 

(notl (enable) (si)) 

(nand2 (si q) (s2)) 

(nand2 (d enable) (s3)) 

(nand2 (s2 s3) (s4))) 

(prove-lemma edff-statep (rewrite) 
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(equal (statep state (edff)) 

(boolp state)) 

((use (statep (m (edff)))))) 

(prove-lemma rv-edff-q (rewrite) 

(equal (rv 'q state (edff)) state)) 

(prove-lemma rv-edff-qn (rewrite) 

(equal (rv J qn state (edff)) (not state))) 

(prove-lemma next-edff (rewrite) 

(implies (and (svecp v (edff)) 

(statep state (edff))) 

(equal (next v state (edff)) 

(if (car v) (cadr v) state))) 

((use (next (m (edff))) 

(statep (m (edff)))))) 

(prove-lemma edf f-setup-rst (rewrite) 

(equal (setup ’rst (edff)) 8000)) 

(prove-lemma edff-setup-enable (rewrite) 
(equal (setup 'enable (edff)) 12000)) 

(prove-lemma edff-setup-d (rewrite) 

(equal (setup >d (edff)) 10000)) 

(prove-lemma edff-per (rewrite) 

(equal (per (edff)) 16000)) 


(defseq ecdff 1 

(elk rst clear enable d) (q qn) 

(dff (elk rst s5) (q qn)) 

(notl (enable) (si)) 

(notl (clear) (s2)) 

(nand3 (q si s2) (s3)) 

(nand3 (d s2 enable) (s4)) 

(nand2 (s3 s4) (s5))) 

(prove-lemma ecdff-statep (rewrite) 

(equal (statep state (ecdff)) 

(boolp state)) 

((use (statep (m (ecdff)))))) 

(prove-lemma rv-eedff-q (rewrite) 

(equal (rv >q state (ecdff)) state)) 

(prove-lemma rv-eedff-qn (rewrite) 

(equal (rv 'qn state (ecdff)) (not state))) 

(prove-lemma next-eedff (rewrite) 

(implies (and (svecp v (ecdff)) 

(statep state (ecdff))) 

(equal (next v state (ecdff)) 

(if (car v) f (if (cadr v) (caddr v) state)))) 
((use (next (m (ecdff))) 

(statep (m (ecdff)))))) 
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(prove-lemma ecdf f-setup-rst (rewrite) 
(equal (setup 'rst (ecdff)) 8000)) 


(prove-lemma ecdf f-setup-clear (rewrite) 
(equal (setup * clear (ecdff)) 12000)) 

(prove-lemma ecdf f-setup-enable (rewrite) 
(equal (setup 1 enable (ecdff)) 12000)) 

(prove-lemma ecdf f-setup-d (rewrite) 
(equal (setup 'd (ecdff)) 10000)) 

(prove-lemma ecdff-per (rewrite) 

(equal (per (ecdff)) 16000)) 


(defseq port3 1 

(elk rst shift sin load din) (q) 

(edff (elk rst s3 s4) (q qn)) 

(nand2 (din load) (al)) 

(nand2 (sin shift) (s2)) 

(or2 (load shift) (s3)) 

(nand2 (si s2) (s4))) 

(prove-lemma port3-statep (rewrite) 
(equal (statep state (port 3)) 

(boolp state)) 

((use (statep (m (port3)))))> 

(prove-lemma rv-port3-q (rewrite) 

(equal (rv ’q state (port3)) state)) 

(prove-lemma next-port3-l (rewrite) 
(implies (and (sveep v (port3)) 

(statep state (port3)) 

(not (car v))) 

(equal (next v state (port3)) 

(if (caddr v) (cadddr v) state))) 

((use (next (m (port3))) 

(statep (m (port3)))))) 

(prove-lemma next-port3-2 (rewrite) 
(implies (and (sveep v (port3)) 

(statep state (port3)) 

(not (caddr v))) 

(equal (next v state (port3)) 

(if (car v) (cadr v) state))) 

((use (next (m (port3))) 

(statep (m (port3)))))) 

(prove-lemma port3-setup-rst (rewrite) 
(equal (setup 'rst (port3)) 8000)) 

(prove-lemma port3-setup-shift (rewrite) 
(equal (setup ’shift (port3)) 14000)) 

(prove-lemma port3-setup-sin (rewrite) 
(equal (setup 'sin (port3)) 14000)) 


(prove- lemma port3-setup-load (rewrite) 
(equal (setup ’load (port3)) 14000)) 

(prove-lemma port3-setup-din (rewrite) 
(equal (setup 'din (port3)) 14000)) 

(prove-lemma port3-per (rewrite) 

(equal (per (port3)) 16000)) 


(defseq shift8 8 

(elk rat load shift sin dO dl d2 d3 d4 d5 d6 d7) 
(qO ql q2 q3 q4 q5 q6 q7) 

(port3 (elk rst shift sin load dO) (qO)) 

(port3 (elk rst shift qO load dl) (ql)) 

(port3 (elk rst shift ql load d2) (q2)) 

(port3 (elk rst shift q2 load d3) (q3)) 

(port3 (elk rst shift q3 load d4) (q4)) 

(port3 (elk rst shift q4 load dS) (q5)) 

(port3 (elk rst shift q5 load d6) (q6)) 

(port3 (elk rst shift q6 load d7) (q7))) 

(prove-lemma shif t8-statep (rewrite) 

(equal (statep state (shift8)) 

(bvpn state 8)) 

((use (statep (m (shift8)))) 

(disable boolp))) 

(prove-lemma rv-shift8-q0 (rewrite) 

(equal (rv ’qO state (shift8)) (car state))) 

(prove-lemma rv-shift8-ql (rewrite) 

(equal (rv ’ql state (shifts)) (cadr state))) 

(prove-lemma rv-shift0-q2 (rewrite) 

(equal (rv ’q2 state (shift8)) (caddr state))) 

(prove-lemma rv-shift8-q3 (rewrite) 

(equal (rv ’q3 state (shift8)) (cadddr state))) 

(prove-lemma rv-shift8-q4 (rewrite) 

(equal (rv J q4 state (shift8)) (caddddr state))) 

(prove-lemma rv-shift8-q5 (rewrite) 

(equal (rv 'q5 state (shift8)) (cadddddr state))) 

(prove-lemma rv-shift8-q6 (rewrite) 

(equal (rv ’q6 state (shift8)) (caddddddr state))) 

(prove-lemma rv-shift8-q7 (rewrite) 

(equal (rv ’q7 state (shift8)) (cadddddddr state))) 

(defn shift (sin 1) 

(if (listp 1) 

(cons sin (shift (car 1) (edr 1))) 

())) 

(prove-lemma shift-rewrite-1 (rewrite) 

(implies (boolp (car 1)) 
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(equal (shift s 1) 

(cons s (shift (car 1) (cdr 1)))))) 

(prove-lemma shift-rewrite-2 (rewrite) 

(implies (nlistp 1) 

(equal (shift s 1) ()))) 

(disable shift) 

(prove-lemma cons-car-nil (rewrite) 

(implies (equal (cdr u) ()) 

(equal (cons (car u) ()) u))) 

(disable cons-car-nil) 

(prove-lemma next-shift8-l (rewrite) 

(implies (and (svecp v (shift8)) 

(statep state (shift8)) 

(not (car v))) 

(equal (next v state (shift8)) 

(if (cadr v) (shift (caddr v) state) state))) 
((use (next (m (shift8))) 

(statep (m (shift8)))) 

(enable cons-car-nil) 

(disable boolp))) 

(prove-lemma next-shif t8-2 (rewrite) 

(implies (and (svecp v (shift8)) 

(statep state (shift8)) 

(not (cadr v))) 

(equal (next v state (shift8)) 

(if (car v) (cdddr v) state))) 

((use (next (m (shift8))) 

(statep (m (shift8)))) 

(enable cons-car-nil) 

(disable boolp))) 

(prove-lemma shif tB-setup-rst (rewrite) 

(equal (setup ’rst (shift8)) 8000)) 

(prove-lemma shif t8-setup-shif t (rewrite) 

(equal (setup 'shift (shifts)) 14000)) 

(prove-lemma shif t8-setup-sin (rewrite) 

(equal (setup ’sin (shift8)) 14000)) 

(prove-lemma shift8-setup-load (rewrite) 

(equal (setup 'load (shift8)) 14000)) 

(prove-lemma shiftS-setup-dO (rewrite) 

(equal (setup 'dO (shift8)) 14000)) 

(prove-lemma shif t8-setup-dl (rewrite) 

(equal (setup ’dl (shift8)) 14000)) 

(prove-lemma shift8-setup-d2 (rewrite) 

(equal (setup ’d2 (shift8)) 14000)) 

(prove-lemma shif t8-setup-d3 (rewrite) 
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(equal (setup 'd3 (shifts)) 14000)) 

(prove-lemma shif t8-setup-d4 (rewrite) 
(equal (setup 'd4 (shift8)) 14000)) 

(prove-lemma shif t8-setup-d5 (rewrite) 
(equal (setup 'd5 (shift8)) 14000)) 

(prove-lemma shift8-setup-d6 (rewrite) 
(equal (setup 'd6 (shift8)) 14000)) 

(prove-lemma shif t8-setup-d7 (rewrite) 
(equal (setup 'd7 (shift8)) 14000)) 

(prove-lemma shift8-per (rewrite) 
(equal (per (shift8)) 20000)) 


(defcomb comp5 (cO bO cl bl c2 b2 c3 b3 c4 b4) (match) 
(xor2 (cO bO) (si)) 

(xor2 (cl bl) (s2) ) 

(xor2 (c2 b2) (s3)) 

(xor2 (c3 b3) (s4)) 

(xor2 (c4 b4) (s5)) 

(nor5 (si s2 s3 s4 sS) (match))) 

(prove-lemma cv-comp5 (rewrite) 

(let ((cO (car v)) (bO (cadr v)) 

(cl (caddr v)) (bl (cadddr v)) 

(c2 (caddddr v)) (b2 (cadddddr v)) 

(c3 (caddddddr v)) (b3 (cadddddddr v)) 

(c4 (caddddddddr v)) (b4 (cadddddddddr v))) 

(implies (cvecp v (compS)) 

(equal (cv 'match v (compS)) 

(equal (list bO bl b2 b3 b4) (list cO cl c2 c3 c4))))) 
((disable boolp))) 


(defseq count3 3 

(elk rst enable) (qO ql q2) 

(edff (elk rst enable qnO) (qO qnO)) 

(edff (elk rst enable s3) (ql qnl)) 

(edff (elk rst enable s2) (q2 qn2>) 

(and2 (qO ql) (si)) 

(xor2 (si q2) (s2) ) 

(xor2 (qO ql) (s3))) 

(prove-lemma countp-statep (rewrite) 

(equal (statep state (counts)) 

(bvpn state 3)) 

((use (statep (m (count3)))) 

(disable boolp))) 

(prove-lemma rv-count3-q0 (rewrite) 

(equal (rv 'qO state (count3)) (car state))) 

(prove-lemma rv-count3-ql (rewrite) 

(equal (rv 'ql state (count3)) (cadr state))) 
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(prove- lemma rv-count3-q2 (rewrite) 

(equal (rv ’q2 state (count3)> (caddr state))) 

(defn modinc (n) 

(if (listp a) 

(if (car a) 

(cons f (modinc (cdr n))) 

(cons t (cdr n))) 
n)) 

(prove-lemma modinc-rewrite-1 (rewrite) 

(implies (not (car n)) 

(equal (modinc n) 

(cons t (cdr n))))) 

(prove-lemma modinc-rewrite-2 (rewrite) 

(implies (and (boolp (car n)) (car n)) 

(equal (modinc n) 

(cons f (modinc (cdr n)))))) 

(prove-lemma modinc-rewrite-3 (rewrite) 

(implies (nlistp n) 

(equal (modinc n) n))) 

(disable modinc) 

(prove-lemma next-count3 (rewrite) 

(implies (statep state (count3)) 

(equal (next v state (count3)) 

(if (car v) 

(modinc state) 
state)) ) 

((use (next (m (count3))) ))) 

(prove-lemma count3-setup-rst (rewrite) 

(equal (setup ’rst (count3)) 8000)) 

(prove-lemma count3-setup-enable (rewrite) 

(equal (setup ’enable (count3)) 12000)) 

(prove-lemma count3-per (rewrite) 

(equal (per (count3)) 20000)) 

(defseq counts 5 

(elk rst clear enable) (qO ql q2 q3 q4) 

(ecdff (elk rst clear enable qnO) (qO qnO)) 
(ecdff (elk rst clear enable xl) (ql qnl)) 

(ecdff (elk rst clear enable x2) (q2 qn2)) 

(ecdff (elk rst clear enable x3) (q3 qn3)) 

(ecdff (elk rst clear enable x4) (q4 qn4)) 

(and2 (qO ql) (al)) 

(and2 (al q2) (a2)) 

(and2 (a2 q3) (a3)) 

(xor2 (qO ql) (xl)) 

(xor2 (q2 al) (x2)) 

(xor2 (q3 a2) (x3)) 

(xor2 (q4 a3) (x4))) 

(prove-lemma countS-statep (rewrite) 
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(equal (atatep state (counts)) 

(bvpn state 5)) 

((use (statep (m (counts)))) 

(disable boolp))) 

(prove- lemma rv-count5-q0 (rewrite) 

(equal (rv 'qO state (count5)) (car state))) 

(prove-lemma rv-countS-ql (rewrite) 

(equal (rv ’ql state (countS)) (cadr state))) 

(prove-lemma rv-count5-q2 (rewrite) 

(equal (rv J q2 state (countS)) (caddr state))) 

(prove-lemma rv-count5-q3 (rewrite) 

(equal (rv 'q3 state (countS)) (cadddr state))) 

(prove-lemma rv-count5-q4 (rewrite) 

(equal (rv ’q4 state (count5)) (caddddr state))) 

(prove-lemma next-count5 (rewrite) 

(implies (statep state (countS)) 

(equal (next v state (countS)) 

(if (car v) 

(listn 5 f) 

(if (cadr v) 

(modinc state) 
state)))) 

((use (next (m (countS)))))) 

(prove-lemma count5-setup-rst (rewrite) 

(equal (setup ’rst (countS)) 8000)) 

(prove-lemma count5-setup-clear (rewrite) 

(equal (setup 'clear (count5)) 12000)) 

(prove-lemma count5-setup-enable (rewrite) 

(equal (setup 'enable (countS)) 12000)) 

(prove-lemma countS-per (rewrite) 

(equal (per (count5)) 24000)) 


(defseq rcount 2 

(elk rst stop start) (bit) 

(cdff (elk rst stop si) (q qn)) 

(counts (elk rst stop q) (qO ql q2 q3 q4)) 
(or2 (start q) (si)) 

(to () (t)) 

(fO () (f)) 

(comp5 (t qO f ql f q 2 t q3 f q4) (bit))) 

(prove-lemma rcount-statep (rewrite) 

(equal (statep state (rcount)) 

(and (boolp (car state)) 

(bvpn (cadr state) 5) 

(equal (eddr state) ()))) 

((use (statep (m (rcount)))) 

(disable boolp))) 
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(prove- lemma rv-rcount-bit (rewrite) 

(Implies (statep state (rcount)) 

(equal (rv 'bit state (rcount)) 

(equal (cadr state) (list t f t t f)))) 

((disable bvpn boolp))) 

(prove-lemma next-rcount (rewrite) 

(implies (statep state (rcount)) 

(equal (next v state (rcount)) 

(if (car v) 

(list f (listn 5 f)) 

(list (if (cadr v) t (car state)) 

(if (car state) 

(modinc (cadr state)) 

(cadr state)))))) 

((use (next (m (rcount))) 

(boolp (x (car state)))) 

(disable boolp bvpn-rewrite-1 bvpn-rewrite-2))) 

(prove-lemma rcount-setup-rst (rewrite) 

(equal (setup 'rst (rcount)) 8000)) 

(prove-lemma rcount-setup-stop (rewrite) 

(equal (setup 'stop (rcount)) 12000)) 

(prove-lemma rcount-setup-start (rewrite) 

(equal (setup 'start (rcount)) 10000)) 

(prove-lemma rcount-per (rewrite) 

(equal (per (rcount)) 24000)) 


(defseq scount 2 

(elk rst stop bit) (mark code) 

(cdff (elk rst stop si) (q qn)) 

(counts (elk rst s2 q) (qO ql q2 q3 q4)) 
(or2 (bit q) (si)) 

(or2 (stop bit) (s2)) 

(tO () (t» 

(fO () (f)) 

(compS (f qO f ql t q2 f q3 f q4) (mark)) 
(coop5 (t qO f ql f q2 f q3 t q4) (code))) 

(prove-lemma scount-statep (rewrite) 

(equal (statep state (scount)) 

(and (boolp (car state)) 

(bvpn (cadr state) 5) 

(equal (eddr state) ()))) 

((use (statep (m (scount)))) 

(disable boolp))) 

(prove-lemma rv-s count -mark (rewrite) 
(implies (statep state (scount)) 

(equal (rv 'mark state (scount)) 

(equal (cadr state) (list f f t f f)))) 
((disable bvpn boolp))) 

(prove-lemma rv-s count -code (rewrite) 
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(implies (statep state (scount)) 

(equal (rv ’code state (scount)) 

(equal (cadr state) (list tf f f t)))) 
((disable bvpn boolp))) 

(prove- lemma next-scount (rewrite) 

(implies (statep state (scount)) 

(equal (next v state (scount)) 

(if (car v) 

(list f (listn 5 f)) 

(if (cadr v) 

(list t (listn 5 f)) 

(if (car state) 

(list (car state) (modinc (cadr state))) 
state))))) 

((use (next (m (scount))) 

(boolp (x (car state )))) 

(disable boolp bvpn-reurite-1 bvpn-rewrite-2)) ) 

(prove-lemma scount-setup-rst (rewrite) 

(equal (setup 'rat (scount)) 8000)) 

(prove-lemma scount-setup-stop (rewrite) 

(equal (setup 'stop (scount)) 14000)) 

(prove-lemma scount-setup-bit (rewrite) 

(equal (setup ’bit (scount)) 14000)) 

(prove-lemma scount-per (rewrite) 

(equal (per (scount)) 24000)) 


(defseq rcvr 5 

(elk rst sin) (dO dl d2 d3 d4 d5 d6 d7 done) 

(edff (elk rst bit nl) (q qn)) 

(rcount (elk rst bit n2) (bit)) 

(count3 (elk rst bit) (qO ql q2)) 

(shif t8 (elk rat f bit x f f f f f f f f) < d 0 dl d2 d3 d4 dS d6 d7)) 
(dff (elk rst a) (done donen)) 

(notl (sin) (nl)) 

(notl (x) (n2)) 

(xor2 (sin q) (x)) 

(and4 (qO ql q2 bit) (a)) 

(fO () (f))) 

(prove-lemma revr-statep (rewrite) 

(equal (statep state (rcvr)) 

(and (boolp (car state)) 

(statep (cadr state) (rcount)) 

(bvpn (caddr state) 3) 

(bvpn (cadddr state) 8) 

(boolp (caddddr state)) 

(equal (edddddr state) ()))) 

((use (statep (m (rcvr)))) 

(disable boolp bvpn-rewrite-1 bvpn-rewrite-2))) 


(prove-lemma rv-rcvr-dO (rewrite) 
(implies (statep state (rcvr)) 
(equal (rv ’dO state (rcvr)) 
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(caadddr state))) 

((disable bvpn boolp))) 

(prove-lemma rv-rcvr-dl (rewrite) 

(implies (statep state (rcvr)) 

(equal (rv ’dl state (rcvr)) 

(cadadddr state))) 

((disable bvpn boolp))) 

(prove-lemma rv-rcvr-d2 (rewrite) 

(implies (statep state (rcvr)) 

(equal (rv J d2 state (rcvr)) 

(caddadddr state))) 

((disable bvpn boolp))) 

(prove-lemma rv-rcvr-d3 (rewrite) 

(implies (statep state (rcvr)) 

(equal (rv ’d3 state (rcvr)) 
(cadddadddr state))) 

((disable bvpn boolp))) 

(prove-lemma rv-rcvr-d4 (rewrite) 

(implies (statep state (rcvr)) 

(equal (rv J d4 state (rcvr)) 
(caddddadddr state))) 

((disable bvpn boolp))) 

(prove-lemma rv-rcvr-d5 (rewrite) 

(implies (statep state (rcvr)) 

(equal (rv } d5 state (rcvr)) 

( c adddddadddr state))) 

((disable bvpn boolp))) 

(prove-lemma rv-rcvr-d6 (rewrite) 

(implies (statep state (rcvr)) 

(equal (rv f d6 state (rcvr)) 
(caddddddadddr state))) 

((disable bvpn boolp))) 

(prove-lemma rv-rcvr-d7 (rewrite) 

(implies (statep state (rcvr)) 

(equal (rv *d7 state (rcvr)) 
(cadddddddadddr state))) 

((disable bvpn boolp))) 

(prove-lemma rv-rcvr-done (rewrite) 
(implies (statep state (rcvr)) 

(equal (rv ’done state (rcvr)) 

(caddddr state))) 

((disable bvpn boolp))) 

(prove-lemma next-rcvr-1 (rewrite) 
(implies (and (statep state (rcvr)) 

(svecp v (rcvr)) 

(equal (cadr state) (list f (listn 5 f))) 

(equal (caddddr state) f)) 

(equal (next v state (rcvr)) 

(if (equal (car v) (car state)) 

(list (car state) 


(list t (listn 5 f)) 

(caddr state) 

(cadddr state) 
f) 

state) ) ) 

((use (next (m (rcvr))) 

(boolp (x (car state)))) 

(disable boolp bvpn-revrite-1 bvpn-rewrite-2) 

(enable cons-car-nil)) ) 

(prove-lemma bvp3-t (rewrite) 

(implies (and (bvpn v 3) 

(car v) 

(cadr v ) 

(caddr v)) 

(equal (equal v (list t t t)) t))) 

(prove-lemma next-rcvr-2 (rewrite) 

(implies (and (statep state (rcvr)) 

(svecp v (rcvr)) 

(equal (caadr state) t) 

(equal (caddddr state) f)) 

(equal (next v state (rcvr)) 

(if (equal (cadadr state) (list t f f t f)) 

(list (not (car v)) 

(list f (listn 5 f)) 

(modinc (caddr state)) 

(shift (not (equal (car v) (car state))) (cadddr state)) 
(equal (caddr state) (list t t t))) 

(list (car state) 

(list t (modinc (cadadr state))) 

(caddr state) 

(cadddr state) 

*)))) 

((use (next (m (rcvr))) 

(boolp (x (car state)))) 

(disable boolp bvpn-rewrite-1 bvpn-rewrite-2) 

(enable cons-car-nil) ) ) 

(prove-lemma rcvr-setup-rst (rewrite) 

(equal (setup ’rst (rcvr)) 8000)) 

(prove-lemma rcvr-setup-sin (rewrite) 

(equal (setup ’sin (rcvr)) 16000)) 

(prove-lemma rcvr-per (rewrite) 

(equal (per (rcvr)) 24000)) 


(defseq sndr 4 

(elk rst send dO dl d2 d3 d4 d5 d6 d7) (sout) 

(scount (elk rst a4 o2) (mark code)) 

(shifts (elk rst send code f dO dl d2 d3 d4 d5 d6 d7) (qO ql q2 q3 q4 qS q6 q7)) 
(count3 (elk rst mark) (cO cl c2)) 

(edff (elk rst o3 sout) (q sout)) 

(or2 (code send) (o2)) 

(and2 (q7 mark) (a2)) 

(and4 (mark cO cl c2) (a4)) 

(or3 (a2 send code) (o3)) 
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(fO () (f))) 


(prove-lemma sndr-statep (rewrite) 

(equal (statep state (sndr)) 

(and (statep (car state) (scount)) 

(bvpn (cadr state) 8) 

(bvpn (caddr state) 3) 

(boolp (cadddr state)) 

(equal (cddddr state) ()))) 

((use (statep (m (sndr)))) 

(disable boolp bvpn-revrite-1 bvpn-rewrite-2))) 

(prove-lemma rv-sndr-sout (rewrite) 

(implies (statep state (sndr)) 

(equal (rv ’sout state (sndr)) 

(not (cadddr state)))) 

((disable bvpn boolp))) 

(prove-lemma regp-sndr-sout (rewrite) 

(regp ’sout (sndr))) 

(prove-lemma boolp-car-listp (rewrite) 

(implies (boolp (car v)) 

(listp v))) 

(disable boolp-car-listp) 

(prove-lemma equal-list-4 (rewrite) 

(implies (and (equal a (car s)) 

(equal b (cadr a)) 

(equal c (caddr s)) 

(equal d (cadddr s)) 

(equal () (cddddr s))) 

(equal (equal (list abed) s) 
t))) 

(prove-lemma next-sndr-1 (rewrite) 

(implies (and (statep state (sndr)) 

(sveep v (sndr)) 

(equal (car state) (list f (listn 5 f)))) 

(equal (next v state (sndr)) 

(if (car v) 

(list (list t (listn 5 f)) 

(list (cadr v) 

(caddr v) 

(cadddr v) 

(caddddr v) 

(cadddddr v) 

(caddddddr v) 

(cadddddddr v) 

(caddddddddr v)) 

(caddr state) 

(not (cadddr state))) 
state) )) 

((use (next (m (sndr))) 

(boolp (x (cadddr state)))) 

(disable boolp) 

(enable cons-car-nil boolp-car-listp))) 
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(prove-lemma next-sndr-2 (rewrite) 

(implies (and (statep state (sndr)) 

(svecp v (sndr)) 

(not (car v)) 

(equal (caar state) t)) 

(equal (next v state (sndr)) 

(if (equal (cadar state) (list f f t f f)) ; 

(if (equal (caddr state) (list t t t)) ; 
(list (list f (listn 5 f)) 

(cadr state) 

(list f f f) 

(if (cadddddddadr state) 

(not (cadddr state)) 

(cadddr state))) 

(list (list t (modinc (cadar state))) 

(cadr state) 

(modinc (caddr state)) 

(if (cadddddddadr state) 

(not (cadddr state)) 

(cadddr state)))) 

(if (equal (cadar state) (list t f f f t)) 
(list (list t (listn 5 f)) 

(shift f (cadr state)) 

(caddr state) 

(not (cadddr state))) 

(list (list t (modinc (cadar state))) 
(cadr state) 

(caddr state) 

(cadddr state)))))) 

((use (next (m (sndr))) 

(boolp (x (cadddr state)))) 

(disable boolp) 

(enable cons-car-nil boolp-car-listp) ) ) 

(prove-lemma sndr-setup-rst (rewrite) 

(equal (setup »rst (sndr)) 8000)) 

(prove-lemma sndr-setup-send (rewrite) 

(equal (setup 'send (sndr)) 16000)) 

(prove-lemma sndr-setup-dO (rewrite) 

(equal (setup 'dO (sndr)) 14000)) 

(prove-lemma sndr-setup-dl (rewrite) 

(equal (setup ’dl (sndr)) 14000)) 

(prove-lemma sndr-setup-d2 (rewrite) 

(equal (setup J d2 (sndr)) 14000)) 

(prove-lemma sndr-setup-d3 (rewrite) 

(equal (setup ’d3 (sndr)) 14000)) 

(prove-lemma sndr-setup-d4 (rewrite) 

(equal (setup ’d4 (sndr)) 14000)) 

(prove-lemma sndr-setup-dB (rewrite) 

(equal (setup ’d5 (sndr)) 14000)) 

(prove-lemma sndr-setup-d6 (rewrite) 


mark 
8th bit 


;code 
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(equal (setup *d6 (sndr)) 14000)) 

(prove-lemma sndr-setup-d7 (rewrite) 
(equal (setup ’d7 (sndr)) 14000)) 


(prove-lenma sndr-per (rewrite) 
(equal (per (sndr)) 26000)) 
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